<!doctype html><html lang="en"><head><script defer src="https://cdn.optimizely.com/js/16180790160.js"></script><title data-rh="true">Reflective Code Loading in Linux — A New Defense Evasion Technique in MITRE ATT&amp;CK v10 | by Rex Guo | Confluera Engineering | Dec, 2021 | Medium</title><meta data-rh="true" charset="utf-8"/><meta data-rh="true" name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1"/><meta data-rh="true" name="theme-color" content="#000000"/><meta data-rh="true" name="twitter:app:name:iphone" content="Medium"/><meta data-rh="true" name="twitter:app:id:iphone" content="828256236"/><meta data-rh="true" property="al:ios:app_name" content="Medium"/><meta data-rh="true" property="al:ios:app_store_id" content="828256236"/><meta data-rh="true" property="al:android:package" content="com.medium.reader"/><meta data-rh="true" property="fb:app_id" content="542599432471018"/><meta data-rh="true" property="og:site_name" content="Medium"/><meta data-rh="true" property="og:type" content="article"/><meta data-rh="true" property="article:published_time" content="2021-12-03T19:03:28.562Z"/><meta data-rh="true" name="title" content="Reflective Code Loading in Linux — A New Defense Evasion Technique in MITRE ATT&amp;CK v10 | by Rex Guo | Confluera Engineering | Dec, 2021 | Medium"/><meta data-rh="true" property="og:title" content="Reflective Code Loading in Linux — A New Defense Evasion Technique in MITRE ATT&amp;CK v10"/><meta data-rh="true" property="twitter:title" content="Reflective Code Loading in Linux — A New Defense Evasion Technique in MITRE ATT&amp;CK v10"/><meta data-rh="true" name="twitter:site" content="@Medium"/><meta data-rh="true" name="twitter:app:url:iphone" content="medium://p/da7da34ed301"/><meta data-rh="true" property="al:android:url" content="medium://p/da7da34ed301"/><meta data-rh="true" property="al:ios:url" content="medium://p/da7da34ed301"/><meta data-rh="true" property="al:android:app_name" content="Medium"/><meta data-rh="true" name="description" content="This blog discusses a Linux reflective code loading technique newly added in the MITRE ATT&amp;CK framework v10 update. Our research team contributed this technique to the MITRE ATT&amp;CK organizers to help…"/><meta data-rh="true" property="og:description" content="Summary"/><meta data-rh="true" property="twitter:description" content="Summary"/><meta data-rh="true" property="og:url" content="https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301"/><meta data-rh="true" property="al:web:url" content="https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301"/><meta data-rh="true" property="og:image" content="https://miro.medium.com/max/680/1*Mbys1dtuQsMUa8q0NtkpDw.png"/><meta data-rh="true" name="twitter:image:src" content="https://miro.medium.com/max/680/1*Mbys1dtuQsMUa8q0NtkpDw.png"/><meta data-rh="true" name="twitter:card" content="summary_large_image"/><meta data-rh="true" property="article:author" content="https://rex-11050.medium.com"/><meta data-rh="true" name="twitter:creator" content="@Xiaofei_REX"/><meta data-rh="true" name="author" content="Rex Guo"/><meta data-rh="true" name="robots" content="index,follow,max-image-preview:large"/><meta data-rh="true" name="referrer" content="unsafe-url"/><meta data-rh="true" name="twitter:label1" content="Reading time"/><meta data-rh="true" name="twitter:data1" content="4 min read"/><link data-rh="true" rel="search" type="application/opensearchdescription+xml" title="Medium" href="/osd.xml"/><link data-rh="true" rel="apple-touch-icon" sizes="152x152" href="https://miro.medium.com/fit/c/152/152/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="apple-touch-icon" sizes="120x120" href="https://miro.medium.com/fit/c/120/120/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="apple-touch-icon" sizes="76x76" href="https://miro.medium.com/fit/c/76/76/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="apple-touch-icon" sizes="60x60" href="https://miro.medium.com/fit/c/60/60/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="mask-icon" href="https://cdn-static-1.medium.com/_/fp/icons/Medium-Avatar-500x500.svg" color="#171717"/><link data-rh="true" rel="preconnect" href="https://glyph.medium.com" crossOrigin=""/><link data-rh="true" rel="preconnect" href="https://logx.optimizely.com"/><link data-rh="true" id="glyph_preload_link" rel="preload" as="style" type="text/css" href="https://glyph.medium.com/css/unbound.css"/><link data-rh="true" id="glyph_link" rel="stylesheet" type="text/css" href="https://glyph.medium.com/css/unbound.css"/><link data-rh="true" rel="author" href="https://rex-11050.medium.com"/><link data-rh="true" rel="canonical" href="https://medium.com/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301"/><link data-rh="true" rel="alternate" href="android-app://com.medium.reader/https/medium.com/p/da7da34ed301"/><link data-rh="true" rel="icon" href="https://miro.medium.com/1*m-R_BkNf1Qjr1YbyOIJY2w.png"/><script data-rh="true" type="application/ld+json">{"@context":"http:\u002F\u002Fschema.org","@type":"NewsArticle","image":["https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F1200\u002F1*Mbys1dtuQsMUa8q0NtkpDw.png"],"url":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering\u002Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301","dateCreated":"2021-12-03T19:03:28.562Z","datePublished":"2021-12-03T19:03:28.562Z","dateModified":"2021-12-22T03:39:54.598Z","headline":"Reflective Code Loading in Linux — A New Defense Evasion Technique in MITRE ATT&CK v10","name":"Reflective Code Loading in Linux — A New Defense Evasion Technique in MITRE ATT&CK v10","description":"This blog discusses a Linux reflective code loading technique newly added in the MITRE ATT&CK framework v10 update. Our research team contributed this technique to the MITRE ATT&CK organizers to help…","identifier":"da7da34ed301","author":{"@type":"Person","name":"Rex Guo","url":"https:\u002F\u002Frex-11050.medium.com"},"creator":["Rex Guo"],"publisher":{"@type":"Organization","name":"Confluera Engineering","url":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering","logo":{"@type":"ImageObject","width":60,"height":60,"url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F120\u002F1*ZP9VuUzDajG62zTUd0fdpw.png"}},"mainEntityOfPage":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering\u002Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301"}</script><link rel="preload" href="https://cdn.optimizely.com/js/16180790160.js" as="script"><style type="text/css" data-fela-rehydration="474" data-fela-type="STATIC">html{box-sizing:border-box}*, *:before, *:after{box-sizing:inherit}body{margin:0;padding:0;text-rendering:optimizeLegibility;-webkit-font-smoothing:antialiased;color:rgba(0,0,0,0.8);position:relative;min-height:100vh}h1, h2, h3, h4, h5, h6, dl, dd, ol, ul, menu, figure, blockquote, p, pre, form{margin:0}menu, ol, ul{padding:0;list-style:none;list-style-image:none}main{display:block}a{color:inherit;text-decoration:none}a, button, input{-webkit-tap-highlight-color:transparent}img, svg{vertical-align:middle}button{background:transparent;overflow:visible}button, input, optgroup, select, textarea{margin:0}:root{--reach-tabs:1;--reach-menu-button:1}#speechify-root{font-family:Sohne, sans-serif}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="KEYFRAME">@-webkit-keyframes k1{from{filter:hue-rotate(0deg)}to{filter:hue-rotate(360deg)}}@-moz-keyframes k1{from{filter:hue-rotate(0deg)}to{filter:hue-rotate(360deg)}}@keyframes k1{from{filter:hue-rotate(0deg)}to{filter:hue-rotate(360deg)}}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE">.a{font-family:medium-content-sans-serif-font, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif}.b{font-weight:400}.c{background-color:rgba(255, 255, 255, 1)}.l{height:100vh}.m{width:100vw}.n{display:flex}.o{align-items:center}.p{justify-content:center}.q{height:25px}.r{fill:rgba(41, 41, 41, 1)}.s{display:block}.t{position:absolute}.u{top:0}.v{left:0}.w{right:0}.x{z-index:500}.y{box-shadow:0 4px 12px 0 rgba(0, 0, 0, 0.05)}.ah{max-width:1192px}.ai{min-width:0}.aj{width:100%}.ak{height:65px}.an{flex:1 0 auto}.ao{fill:rgba(25, 25, 25, 1)}.ap{border-left:1px solid rgba(204, 204, 204, 1)}.aq{margin-left:15px}.ar{margin-right:14px}.as{height:24px}.at{width:1px}.au{height:36px}.av{width:36px}.aw{flex:0 0 auto}.ax{border-top:1px solid rgba(230, 230, 230, 1)}.ay{display:none}.ba{height:54px}.bb{overflow:hidden}.bc{margin-right:40px}.bd{overflow:auto}.be{flex:0 1 auto}.bf{list-style-type:none}.bg{margin:0}.bh{line-height:40px}.bi{white-space:nowrap}.bj{overflow-x:auto}.bk{align-items:flex-start}.bl{margin-top:20px}.bm{padding-top:20px}.bn{height:80px}.bo{margin-bottom:0px}.bp{margin-top:0px}.bx{margin-left:auto}.by{margin-right:auto}.bz{max-width:728px}.ca{box-sizing:border-box}.cb{background:rgba(255, 255, 255, 1)}.cc{border:1px solid rgba(230, 230, 230, 1)}.cd{border-radius:4px}.ce{box-shadow:0 1px 4px rgba(230, 230, 230, 1)}.cf{max-height:100vh}.cg{overflow-y:auto}.ch{top:calc(100vh + 100px)}.ci{bottom:calc(100vh + 100px)}.cj{width:10px}.ck{pointer-events:none}.cl{word-break:break-word}.cm{word-wrap:break-word}.cn:after{display:block}.co:after{content:""}.cp:after{clear:both}.cq{max-width:680px}.cr{line-height:1.23}.cs{letter-spacing:0}.ct{font-style:normal}.cu{font-family:fell, Georgia, Cambria, "Times New Roman", Times, serif}.dp{margin-bottom:-0.27em}.dq{color:rgba(41, 41, 41, 1)}.dr{margin-top:32px}.ds{justify-content:space-between}.dw{border-radius:50%}.dx{height:48px}.dy{width:48px}.dz{margin-left:8px}.ea{font-family:sohne, "Helvetica Neue", Helvetica, Arial, sans-serif}.eb{font-size:14px}.ec{line-height:20px}.ed{margin-bottom:2px}.ef{max-height:20px}.eg{text-overflow:ellipsis}.eh{display:-webkit-box}.ei{-webkit-line-clamp:1}.ej{-webkit-box-orient:vertical}.el{color:inherit}.em{fill:inherit}.en{font-size:inherit}.eo{border:inherit}.ep{font-family:inherit}.eq{letter-spacing:inherit}.er{font-weight:inherit}.es{padding:0}.ev:disabled{cursor:default}.ew:disabled{color:rgba(117, 117, 117, 1)}.ex:disabled{fill:rgba(117, 117, 117, 1)}.ey{font-size:13px}.ez{color:rgba(255, 255, 255, 1)}.fa{padding:0px 8px 1px}.fb{fill:rgba(255, 255, 255, 1)}.fc{background:rgba(132, 133, 133, 1)}.fd{border-color:rgba(132, 133, 133, 1)}.fg:disabled{cursor:inherit !important}.fh:disabled{opacity:0.3}.fi:disabled:hover{background:rgba(132, 133, 133, 1)}.fj:disabled:hover{border-color:rgba(132, 133, 133, 1)}.fk{border-radius:99em}.fl{border-width:1px}.fm{border-style:solid}.fn{display:inline-block}.fo{text-decoration:none}.fp{margin-left:4px}.fq{stroke:rgba(242, 242, 242, 1)}.fr{height:23px}.fs{width:23px}.fv{color:rgba(242, 242, 242, 1)}.fw{fill:rgba(242, 242, 242, 1)}.fx{background:rgba(242, 242, 242, 1)}.fy{border-color:rgba(242, 242, 242, 1)}.ge{color:rgba(117, 117, 117, 1)}.gf{align-items:flex-end}.gn{padding-right:1px}.go{fill:rgba(117, 117, 117, 1)}.gp path{fill:rgba(8, 8, 8, 1)}.gq{margin:0 6px 0 7px}.gw{clear:both}.gx{max-width:100%}.gy{height:auto}.gz{margin-top:10px}.ha{text-align:center}.hd{text-decoration:underline}.he{line-height:1.12}.hf{letter-spacing:-0.022em}.hg{font-weight:500}.ib{margin-bottom:-0.28em}.ic{line-height:1.58}.id{letter-spacing:-0.004em}.ie{font-family:charter, Georgia, Cambria, "Times New Roman", Times, serif}.ix{margin-bottom:-0.46em}.jd{background-color:rgba(242, 242, 242, 1)}.je{padding:2px 4px}.jf{font-size:75%}.jg> strong{font-family:inherit}.jh{font-family:Menlo, Monaco, "Courier New", Courier, monospace}.ji{list-style-type:decimal}.jj{margin-left:30px}.jk{padding-left:0px}.jq{max-width:739px}.js{cursor:zoom-in}.jt{position:relative}.ju{z-index:auto}.jw{opacity:0}.jx{transition:opacity 100ms 400ms}.jy{height:100%}.jz{will-change:transform}.ka{transform:translateZ(0)}.kb{margin:auto}.kc{padding-bottom:146.42857142857142%}.kd{height:0}.ke{filter:blur(20px)}.kf{transform:scale(1.1)}.kg{visibility:visible}.kh{padding:20px}.ki{line-height:1.18}.kj{font-size:16px}.kk{margin-top:-0.09em}.kl{margin-bottom:-0.09em}.km{white-space:pre-wrap}.kn{max-width:331px}.ko{padding-bottom:35.64954682779456%}.kp{max-width:1140px}.kq{padding-bottom:59.71428571428571%}.kr{will-change:opacity}.ks{position:fixed}.kt{width:188px}.ku{left:50%}.kv{transform:translateX(406px)}.kw{top:calc(65px + 54px + 14px)}.kz{will-change:opacity, transform}.la{transform:translateY(159px)}.lc{width:197px}.ld{flex-direction:column}.le{margin-bottom:20px}.lf{padding-bottom:20px}.lg{padding-top:2px}.lh{max-height:120px}.li{-webkit-line-clamp:6}.lj{padding-top:32px}.lk{flex-direction:row}.ll{justify-content:space-evenly}.lm{margin-right:20px}.ls{-webkit-user-select:none}.lt{outline:0}.lu{border:0}.lv{user-select:none}.lw{cursor:pointer}.lx> svg{pointer-events:none}.mi button{text-align:left}.mj{margin-top:2px}.mk{fill:rgba(61, 61, 61, 1)}.ml{opacity:1}.mm{margin-top:1px}.mn{margin-top:40px}.mo{flex-wrap:wrap}.mp{margin-top:25px}.mq{max-width:155px}.mx{top:1px}.na{margin-left:24px}.nb{margin-top:4px}.nc{margin-bottom:25px}.ne{margin-bottom:32px}.nf{min-height:80px}.nk{width:80px}.nl{padding-left:102px}.nm{margin-bottom:6px}.no{font-size:22px}.np{line-height:28px}.nq{max-width:550px}.nr{max-width:450px}.ns{line-height:24px}.nu{padding-top:24px}.nv{margin-top:5px}.nw{height:40px}.nx{width:40px}.ny{margin-left:12px}.nz{font-size:12px}.oa{line-height:16px}.ob{letter-spacing:0.083em}.oc{text-transform:uppercase}.od{padding-top:8px}.oe{margin-bottom:40px}.of{margin-top:24px}.og{padding-bottom:16px}.oh{border-bottom:1px solid rgba(230, 230, 230, 1)}.oi{margin-bottom:24px}.qe{flex-grow:0}.qf{padding-bottom:24px}.qg{max-width:500px}.qi{padding-bottom:8px}.qt{margin-right:8px}.qw{padding-bottom:100%}.et:hover{cursor:pointer}.eu:hover{text-decoration:underline}.fe:hover{background:rgba(113, 114, 114, 1)}.ff:hover{border-color:rgba(113, 114, 114, 1)}.ft:hover{color:rgba(25, 25, 25, 1)}.fu:hover{fill:rgba(25, 25, 25, 1)}.fz:hover{background:rgba(242, 242, 242, 1)}.ga:hover{border-color:rgba(242, 242, 242, 1)}.gb:hover{cursor:wait}.gc:hover{color:rgba(242, 242, 242, 1)}.gd:hover{fill:rgba(242, 242, 242, 1)}.ma:hover{fill:rgba(117, 117, 117, 1)}.jv:focus{transform:scale(1.01)}.lz:focus{fill:rgba(117, 117, 117, 1)}.ly:active{border-style:none}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (min-width: 1080px)">.d{display:none}.ag{margin:0 64px}.bw{padding:0 16px}.dl{font-size:48px}.dm{margin-top:0.55em}.dn{line-height:60px}.do{letter-spacing:-0.011em}.gm{margin-left:30px}.gv{margin-top:56px}.hx{font-size:30px}.hy{margin-top:1.95em}.hz{line-height:36px}.ia{letter-spacing:0}.it{font-size:21px}.iu{margin-top:0.86em}.iv{line-height:32px}.iw{letter-spacing:-0.003em}.jc{margin-top:2em}.jp{margin-top:1.05em}.lr{margin-right:5px}.mh{margin-top:0px}.mw{margin-top:5px}.mz{display:inline-block}.ot{font-size:22px}.ou{line-height:28px}.ph{width:calc(100% + 32px)}.pi{margin-left:-16px}.pj{margin-right:-16px}.qa{padding-left:16px}.qb{padding-right:16px}.qc{flex-basis:25%}.qd{max-width:25%}.qr{font-size:16px}.qs{line-height:20px}.rf{min-width:70px}.rg{min-height:70px}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (max-width: 1079.98px)">.e{display:none}.gl{margin-left:30px}.hb{margin-left:auto}.hc{text-align:center}.mg{margin-top:0px}.mv{margin-top:5px}.my{display:inline-block}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (max-width: 903.98px)">.f{display:none}.gk{margin-left:30px}.mf{margin-top:0px}.mt{display:inline-block}.mu{margin-top:5px}.qh{margin-right:16px}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (max-width: 727.98px)">.g{display:none}.al{height:56px}.am{display:flex}.az{display:block}.bq{margin-bottom:0px}.br{height:110px}.du{margin-top:32px}.dv{flex-direction:column-reverse}.gi{margin-bottom:30px}.gj{margin-left:0px}.md{margin-top:2px}.me{margin-right:16px}.ms{display:inline-block}.nd{padding-top:0}.ng{margin-bottom:24px}.nh{align-items:center}.ni{width:102px}.nj{position:relative}.nn{padding-left:0}.nt{margin-top:24px}.oj{padding-bottom:12px}.ok{margin-top:16px}.qu{margin-left:16px}.qv{margin-right:0px}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (max-width: 551.98px)">.h{display:none}.ab{margin:0 24px}.bs{padding:0 8px 24px 8px}.cv{font-size:34px}.cw{margin-top:0.56em}.cx{line-height:42px}.cy{letter-spacing:-0.016em}.dt{margin-top:32px}.ee{margin-bottom:0px}.gg{margin-bottom:30px}.gh{margin-left:0px}.gr{margin-top:40px}.hh{font-size:22px}.hi{margin-top:1.2em}.hj{line-height:28px}.hk{letter-spacing:0}.if{font-size:18px}.ig{margin-top:0.67em}.ih{letter-spacing:-0.003em}.iy{margin-top:1.56em}.jl{margin-top:1.34em}.ln{margin-left:8px}.mb{margin-top:2px}.mc{margin-right:16px}.mr{display:inline-block}.ol{font-size:20px}.om{line-height:24px}.ov{width:calc(100% + 24px)}.ow{margin-left:-12px}.ox{margin-right:-12px}.pk{padding-left:12px}.pl{padding-right:12px}.pm{flex-basis:100%}.pn{max-width:100%}.qj{font-size:16px}.qk{line-height:20px}.qx{min-width:48px}.qy{min-height:48px}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (min-width: 904px) and (max-width: 1079.98px)">.i{display:none}.af{margin:0 64px}.bv{padding:0 16px}.dh{font-size:48px}.di{margin-top:0.55em}.dj{line-height:60px}.dk{letter-spacing:-0.011em}.gu{margin-top:56px}.ht{font-size:30px}.hu{margin-top:1.95em}.hv{line-height:36px}.hw{letter-spacing:0}.ip{font-size:21px}.iq{margin-top:0.86em}.ir{line-height:32px}.is{letter-spacing:-0.003em}.jb{margin-top:2em}.jo{margin-top:1.05em}.lq{margin-right:5px}.or{font-size:22px}.os{line-height:28px}.pe{width:calc(100% + 32px)}.pf{margin-left:-16px}.pg{margin-right:-16px}.pw{padding-left:16px}.px{padding-right:16px}.py{flex-basis:25%}.pz{max-width:25%}.qp{font-size:16px}.qq{line-height:20px}.rd{min-width:70px}.re{min-height:70px}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (min-width: 728px) and (max-width: 903.98px)">.j{display:none}.ae{margin:0 48px}.bu{padding:0 16px}.dd{font-size:48px}.de{margin-top:0.55em}.df{line-height:60px}.dg{letter-spacing:-0.011em}.gt{margin-top:56px}.hp{font-size:30px}.hq{margin-top:1.95em}.hr{line-height:36px}.hs{letter-spacing:0}.il{font-size:21px}.im{margin-top:0.86em}.in{line-height:32px}.io{letter-spacing:-0.003em}.ja{margin-top:2em}.jn{margin-top:1.05em}.lp{margin-right:5px}.op{font-size:22px}.oq{line-height:28px}.pb{width:calc(100% + 28px)}.pc{margin-left:-14px}.pd{margin-right:-14px}.ps{padding-left:14px}.pt{padding-right:14px}.pu{flex-basis:50%}.pv{max-width:50%}.qn{font-size:16px}.qo{line-height:20px}.rb{min-width:48px}.rc{min-height:48px}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (min-width: 552px) and (max-width: 727.98px)">.k{display:none}.ac{margin:0 24px}.bt{padding:0 8px 24px 8px}.cz{font-size:34px}.da{margin-top:0.56em}.db{line-height:42px}.dc{letter-spacing:-0.016em}.gs{margin-top:40px}.hl{font-size:22px}.hm{margin-top:1.2em}.hn{line-height:28px}.ho{letter-spacing:0}.ii{font-size:18px}.ij{margin-top:0.67em}.ik{letter-spacing:-0.003em}.iz{margin-top:1.56em}.jm{margin-top:1.34em}.lo{margin-left:8px}.on{font-size:20px}.oo{line-height:24px}.oy{width:calc(100% + 24px)}.oz{margin-left:-12px}.pa{margin-right:-12px}.po{padding-left:12px}.pp{padding-right:12px}.pq{flex-basis:100%}.pr{max-width:100%}.ql{font-size:16px}.qm{line-height:20px}.qz{min-width:48px}.ra{min-height:48px}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="print">.z{display:none}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="(orientation: landscape) and (max-width: 903.98px)">.ek{max-height:none}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="(prefers-reduced-motion: no-preference)">.jr{transition:transform 300ms cubic-bezier(0.2, 0, 0.2, 1)}.kx{transition:opacity 200ms}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (max-width: 1230px)">.ky{display:none}</style><style type="text/css" data-fela-rehydration="474" data-fela-type="RULE" media="all and (max-width: 1240px)">.lb{display:none}</style></head><body><div id="root"><div class="a b c"><div class="d e f g h i j k"></div><script>document.domain = document.domain;</script><div class="s"><nav class="s t u v w c x y z"><div><div class="s c"><div class="n p"><div class="ab ac ae af ag ah ai aj"><div class="ak n o al am"><div class="n o an x"><a aria-label="Homepage" rel="noopener follow" href="https://medium.com/?source=post_page-----da7da34ed301-----------------------------------"><svg viewBox="0 0 1043.63 592.71" class="q ao"><g data-name="Layer 2"><g data-name="Layer 1"><path d="M588.67 296.36c0 163.67-131.78 296.35-294.33 296.35S0 460 0 296.36 131.78 0 294.34 0s294.33 132.69 294.33 296.36M911.56 296.36c0 154.06-65.89 279-147.17 279s-147.17-124.94-147.17-279 65.88-279 147.16-279 147.17 124.9 147.17 279M1043.63 296.36c0 138-23.17 249.94-51.76 249.94s-51.75-111.91-51.75-249.94 23.17-249.94 51.75-249.94 51.76 111.9 51.76 249.94"></path></g></g></svg></a><div class="ap aq ar as at s g"></div><div class="s g"><a href="/confluera-engineering?source=post_page-----da7da34ed301-----------------------------------" rel="noopener follow"><div class="au av s"><img alt="Confluera Engineering" class="" src="https://miro.medium.com/max/72/1*ZP9VuUzDajG62zTUd0fdpw.png" width="36" height="36"/></div></a></div></div><div class="s aw x"></div></div></div></div></div><div class="ax ay c az"><div class="n p"><div class="ab ac ae af ag ah ai aj"><div class="ba bb n o"><div class="bc s aw"><a href="/confluera-engineering?source=post_page-----da7da34ed301-----------------------------------" rel="noopener follow"><div class="au av s"><img alt="Confluera Engineering" class="" src="https://miro.medium.com/max/72/1*ZP9VuUzDajG62zTUd0fdpw.png" width="36" height="36"/></div></a></div><div class="bd s be"><ul class="bf bg bh bi bj n bk g bl bm bn"></ul></div></div></div></div></div></div></nav><div class="bo bp ak s bq br"></div><article><section class="bs bt bu bv bw bx by aj bz ca s"></section><span class="s"></span><div><div><div class="t v ch ci cj ck"></div><section class="cl cm cn co cp"><div class="n p"><div class="ab ac ae af ag cq ai aj"><div class=""><h1 id="3378" class="cr cs ct cu b cv cw cx cy cz da db dc dd de df dg dh di dj dk dl dm dn do dp dq">Reflective Code Loading in Linux — A New Defense Evasion Technique in MITRE ATT&amp;CK v10</h1><div class="dr"><div class="n ds dt du dv"><div class="o n"><div><a href="https://rex-11050.medium.com/?source=post_page-----da7da34ed301-----------------------------------" rel="noopener follow"><img alt="Rex Guo" class="s dw dx dy" src="https://miro.medium.com/fit/c/96/96/1*oJssekvq2DlebIDSamLo-A.png" width="48" height="48"/></a></div><div class="dz aj s"><div class="n"><div style="flex:1"><span class="ea b eb ec dq"><div class="ed n o ee"><span class="ea b eb ec bb ef eg eh ei ej ek dq"><a class="el em en eo ep eq er es bg et eu ev ew ex" href="https://rex-11050.medium.com/?source=post_page-----da7da34ed301-----------------------------------" rel="noopener follow">Rex Guo</a></span><div class="dz n"><span><button class="ea b ey ec ez fa fb fc fd fe ff et fg fh fi fj fk fl fm ca fn fo">Follow</button></span><div class="fp s"><div><div><div class="fn" role="tooltip" aria-hidden="false"><div class="s"><span><a class="el em en eo ep eq er es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=%2F_%2Fapi%2Fsubscriptions%2Fnewsletters%2Fbf1ea97912c3&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301&amp;newsletterV3=138f8633036e&amp;newsletterV3Id=bf1ea97912c3&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=post_page-----da7da34ed301---------------------subscribe_user--------------"><button class="ea b eb ec fv es fw fx fy fz ga gb gc gd fg fh fi fj fk fl fm ca fn fo" aria-label="Subscribe"><svg width="23" height="23" viewBox="0 0 23 23" fill="none" class="fq fr fs"><path stroke-linecap="round" d="M14.58 6.89h3.92M16.39 9V5.08M11.62 7.04H7a1 1 0 0 0-1 1v7.13a1 1 0 0 0 1 1h8.54a1 1 0 0 0 1-1v-3.21"></path><path d="M6 8.44l5.27 3.87 2.81-2.11" stroke-linecap="round"></path></svg></button></a></span></div></div></div></div></div></div></div></span></div></div><span class="ea b eb ec ge"><span class="ea b eb ec bb ef eg eh ei ej ek ge"><div><a class="el em en eo ep eq er es bg et eu ev ew ex" rel="noopener follow" href="/confluera-engineering/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301?source=post_page-----da7da34ed301-----------------------------------"><span>Dec 3</span></a> <!-- -->·<!-- --> <!-- -->4<!-- --> min read</div></span></span></div></div><div class="n gf gg gh gi gj gk gl gm z"><div class="n o"><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="el em en eo ep eq er es bg et ft fu ev ew ex" aria-label="Share on twitter"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm4.95-16.17a2.67 2.67 0 0 0-4.6 1.84c0 .2.03.41.05.62a7.6 7.6 0 0 1-5.49-2.82 3 3 0 0 0-.38 1.34c.02.94.49 1.76 1.2 2.23a2.53 2.53 0 0 1-1.2-.33v.04c0 1.28.92 2.36 2.14 2.62-.23.05-.46.08-.71.1l-.21-.02-.27-.03a2.68 2.68 0 0 0 2.48 1.86A5.64 5.64 0 0 1 9 19.38a7.62 7.62 0 0 0 4.1 1.19c4.9 0 7.58-4.07 7.57-7.58v-.39c.52-.36.97-.83 1.33-1.38-.48.23-1 .37-1.53.43.56-.33.96-.86 1.15-1.48-.5.31-1.07.53-1.67.66z" fill="#292929"></path></svg></button></div></div></div><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="el em en eo ep eq er es bg et ft fu ev ew ex" aria-label="Share on facebook"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm-1.23-6.03V15.6H12v-2.15h1.77v-1.6C13.77 10 14.85 9 16.42 9c.75 0 1.4.06 1.58.08v1.93h-1.09c-.85 0-1.02.43-1.02 1.05v1.38h2.04l-.27 2.15H15.9V21l-2.13-.03z" fill="#292929"></path></svg></button></div></div></div><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="el em en eo ep eq er es bg et ft fu ev ew ex" aria-label="Share on linkedin"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M27 15a12 12 0 1 1-24 0 12 12 0 0 1 24 0zm-14.61 5v-7.42h-2.26V20h2.26zm-1.13-8.44c.79 0 1.28-.57 1.28-1.28-.02-.73-.5-1.28-1.26-1.28-.78 0-1.28.55-1.28 1.28 0 .71.49 1.28 1.25 1.28h.01zM15.88 20h-2.5s.04-6.5 0-7.17h2.5v1.02l-.02.02h.02v-.02a2.5 2.5 0 0 1 2.25-1.18c1.64 0 2.87 1.02 2.87 3.22V20h-2.5v-3.83c0-.97-.36-1.62-1.26-1.62-.69 0-1.1.44-1.28.87-.06.15-.08.36-.08.58v4z" fill="#292929"></path></svg></button></div></div></div><div class="s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="el em en eo ep eq er es bg et ft fu ev ew ex"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zM9.29 16.28c-.2.36-.29.75-.29 1.17a2.57 2.57 0 0 0 .78 1.84l1.01.96c.53.5 1.17.75 1.92.75s1.38-.25 1.9-.75l1.2-1.15.75-.71.51-.5a2.51 2.51 0 0 0 .72-2.34.7.7 0 0 0-.03-.18 2.74 2.74 0 0 0-.23-.5v-.02l-.08-.14-.02-.03-.02-.01a.33.33 0 0 0-.07-.1c0-.02-.01-.03-.03-.05a.2.2 0 0 0-.03-.03l-.03-.04v-.01l-.02-.03-.04-.03a.85.85 0 0 1-.13-.13l-.43-.42-.06.06-.9.84-.05.09a.26.26 0 0 0-.03.1l.37.38c.04.03.08.07.1.11l.01.01.01.03.02.01.04.1.03.04.06.1v.02l.01.02c.03.1.05.2.05.33a1 1 0 0 1-.12.49c-.07.13-.15.22-.22.29l-.88.85-.61.57-.95.92c-.22.2-.5.3-.82.3-.31 0-.58-.1-.8-.3l-.98-.96a1.15 1.15 0 0 1-.3-.42 1.4 1.4 0 0 1-.04-.35c0-.1.01-.2.04-.3a1 1 0 0 1 .3-.49l1.5-1.46v-.24c0-.21 0-.42.04-.6a3.5 3.5 0 0 1 .92-1.72c-.41.1-.78.32-1.11.62l-.01.02-.01.01-2.46 2.33c-.2.21-.35.4-.44.6h-.02c0 .02 0 .02-.02.02v.02l-.01.01zm3.92-1.8a1.83 1.83 0 0 0 .02.97c0 .06 0 .13.02.19.06.17.14.34.22.5v.02l.06.12.02.03.01.02.08.1c0 .02.02.03.04.05l.08.1h.01c0 .01 0 .03.02.03l.14.14.43.41.08-.06.88-.84.05-.09.03-.1-.36-.37a.4.4 0 0 1-.12-.13v-.02l-.02-.02-.05-.09-.04-.04-.04-.1v-.02l-.02-.02a1.16 1.16 0 0 1 .06-.82c.09-.14.16-.24.23-.3l.9-.85.6-.58.93-.92c.23-.2.5-.3.82-.3a1.2 1.2 0 0 1 .82.3l1 .96c.13.15.23.29.28.42a1.43 1.43 0 0 1 0 .66c-.03.17-.12.33-.26.48l-1.54 1.45.02.25a3.28 3.28 0 0 1-.96 2.32 2.5 2.5 0 0 0 1.1-.62l.01-.01 2.46-2.34c.19-.2.35-.4.46-.6l.02-.02v-.02h.01a2.45 2.45 0 0 0 .21-1.82 2.53 2.53 0 0 0-.7-1.19l-1-.96a2.68 2.68 0 0 0-1.91-.75c-.75 0-1.38.25-1.9.76l-1.2 1.14-.76.72-.5.49c-.4.37-.64.83-.74 1.37z" fill="#292929"></path></svg></button></div></div></div><div class="gq s"></div></div></div></div></div></div><figure class="gr gs gt gu gv gw bx by paragraph-image"><div class="bx by cq"><img alt="" class="aj gx gy" src="https://miro.medium.com/max/1360/1*Mbys1dtuQsMUa8q0NtkpDw.png" width="680" height="400" role="presentation"/></div><figcaption class="gz ha bz bx by hb hc ea b eb ec ge">MITRE ATT&amp;CK. Source: <a class="el hd" href="https://attack.mitre.org/" rel="noopener ugc nofollow" target="_blank">attack.mitre.org</a></figcaption></figure><h1 id="8d01" class="he hf ct ea hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib dq">Summary</h1><p id="8fe2" class="ic id ct ie b if ig hj ih ii ij hn ik il im in io ip iq ir is it iu iv iw ix cl dq">This blog discusses a Linux <a class="el hd" href="https://attack.mitre.org/techniques/T1620/" rel="noopener ugc nofollow" target="_blank">reflective code loading</a> technique newly added in the <a class="el hd" href="https://attack.mitre.org/resources/updates/updates-october-2021/#:~:text=The%20October%202021%20(v10)%20ATT%26CK,changes%20released%20in%20ATT%26CK%20v9." rel="noopener ugc nofollow" target="_blank">MITRE ATT&amp;CK framework v10</a> update. Our research team contributed this technique to the MITRE ATT&amp;CK organizers to help improve the industry standard.</p><p id="f3f6" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">Reflective code loading allows threat actors to execute file-based malware without touching the disk! We will discuss how this technique works in Linux and how threat groups use this technique to evade detection.</p><p id="ab68" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">In our next blog, we will discuss detections and response to this technique. This blog is co-authored with <a class="el hd" rel="noopener" href="/@joel.schopp">Joel Schopp</a>.</p><h1 id="e2e9" class="he hf ct ea hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib dq">What is An Anonymous File?</h1><p id="b065" class="ic id ct ie b if ig hj ih ii ij hn ik il im in io ip iq ir is it iu iv iw ix cl dq">Before we dive in to the details of reflective code loading in Linux, we need to understand anonymous files. Linux uses file as a generic abstraction for many underlying interfaces. Linux kernel 3.17 has introduced the <code class="jd je jf jg jh b">memfd_create()</code> system call. <code class="jd je jf jg jh b">memfd_create()</code>creates an anonymous file and returns a file descriptor that refers to it. The file behaves like a regular file, and it can be modified, truncated, memory-mapped, and so on.</p><p id="d04c" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">However, unlike a regular file, it lives in RAM and has volatile backing storage. This means that filesystem scanners can’t scan it. Once all references to the file are dropped, it is automatically released. Anonymous memory is used for all backing pages of the file. Therefore, files created by <code class="jd je jf jg jh b">memfd_create()</code>have the same semantics as other anonymous memory allocations such as those allocated using<a class="el hd" href="https://man7.org/linux/man-pages/man2/mmap.2.html" rel="noopener ugc nofollow" target="_blank"> </a><code class="jd je jf jg jh b">mmap()</code> with the <code class="jd je jf jg jh b">MAP_ANONYMOUS</code> flag.</p><h1 id="2fe1" class="he hf ct ea hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib dq">Reflective Code Loading in Linux</h1><p id="41e9" class="ic id ct ie b if ig hj ih ii ij hn ik il im in io ip iq ir is it iu iv iw ix cl dq">Linux also supports direct execution of an anonymous file in memory by either <code class="jd je jf jg jh b">execve</code> or <code class="jd je jf jg jh b">execveat</code>system call. The reflective code loading contains the following steps:</p><ol class=""><li id="df1d" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix ji jj jk dq">Creates an anonymous file within the application memory</li><li id="dba8" class="ic id ct ie b if jl hj ih ii jm hn ik il jn in io ip jo ir is it jp iv iw ix ji jj jk dq">Writes file content in the anonymous file</li><li id="62e4" class="ic id ct ie b if jl hj ih ii jm hn ik il jn in io ip jo ir is it jp iv iw ix ji jj jk dq">Executes the anonymous file from the memory</li></ol><p id="78a4" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">During reflective code loading, the anonymous does not touch the disk. We will use a simple example to demonstrate the idea. Part of the code is inspired by a 0x00sec<a class="el hd" href="https://0x00sec.org/t/super-stealthy-droppers/3715" rel="noopener ugc nofollow" target="_blank"> blog</a>.</p><figure class="gr gs gt gu gv gw bx by paragraph-image"><div role="button" tabindex="0" class="jr js jt ju aj jv"><div class="bx by jq"><div class="kb s jt jd"><div class="kc kd s"><div class="jw jx t u v jy aj bb jz ka"><img alt="" class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/40/0*WW5SfAuHrHogCodS?q=20" width="700" height="1025" role="presentation"/></div><img alt="" class="jw jx t u v jy aj c" width="700" height="1025" role="presentation"/><noscript><img alt="" class="t u v jy aj" src="https://miro.medium.com/max/1400/0*WW5SfAuHrHogCodS" width="700" height="1025" srcSet="https://miro.medium.com/max/552/0*WW5SfAuHrHogCodS 276w, https://miro.medium.com/max/1104/0*WW5SfAuHrHogCodS 552w, https://miro.medium.com/max/1280/0*WW5SfAuHrHogCodS 640w, https://miro.medium.com/max/1400/0*WW5SfAuHrHogCodS 700w" sizes="700px" role="presentation"/></noscript></div></div></div></div></figure><p id="d28d" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">The program primarily performs the following steps:</p><ol class=""><li id="7dc8" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix ji jj jk dq">Connects to a network socket. For demo purposes, we use localhost and port 1111 as the destination address and port, correspondingly.</li><li id="83ec" class="ic id ct ie b if jl hj ih ii jm hn ik il jn in io ip jo ir is it jp iv iw ix ji jj jk dq">Creates an anonymous file</li><li id="a328" class="ic id ct ie b if jl hj ih ii jm hn ik il jn in io ip jo ir is it jp iv iw ix ji jj jk dq">Reads file content from the network and write to the file in a loop until the file ends or other error condition happens</li><li id="b97e" class="ic id ct ie b if jl hj ih ii jm hn ik il jn in io ip jo ir is it jp iv iw ix ji jj jk dq">Creates a child process and execute the anonymous file from the child</li></ol><p id="a3f4" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">Here are the steps to test the reflective code loading:</p><ol class=""><li id="a216" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix ji jj jk dq">Pipe an ELF payload to a netcat listener. For demo purposes, we are just using a simple xeyes binary from Ubuntu distributions.</li></ol><pre class="gr gs gt gu gv kh fx bj"><span id="502a" class="dq ki hf ct jh b kj kk kl s km">$ cat /usr/bin/xeyes | nc -l $((0x1111))</span></pre><p id="ee5c" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">2. Run the above reflective code loading program. If everything works, we can see the program loads and executes. We will also see an xeyes window pops up in the GUI. To view the running process artifacts:</p><pre class="gr gs gt gu gv kh fx bj"><span id="2044" class="dq ki hf ct jh b kj kk kl s km">$ ps -ef --forest</span></pre><figure class="gr gs gt gu gv gw bx by paragraph-image"><div class="bx by kn"><div class="kb s jt jd"><div class="ko kd s"><div class="jw jx t u v jy aj bb jz ka"><img alt="" class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/60/0*ncty52aFfGZ5EtTs?q=20" width="331" height="118" role="presentation"/></div><img alt="" class="jw jx t u v jy aj c" width="331" height="118" role="presentation"/><noscript><img alt="" class="t u v jy aj" src="https://miro.medium.com/max/662/0*ncty52aFfGZ5EtTs" width="331" height="118" srcSet="https://miro.medium.com/max/552/0*ncty52aFfGZ5EtTs 276w, https://miro.medium.com/max/662/0*ncty52aFfGZ5EtTs 331w" sizes="331px" role="presentation"/></noscript></div></div></div></figure><p id="351a" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">Note that we can changed the program name to an arbitrary string. We use <code class="jd je jf jg jh b">[kworker/u!0]</code> to demonstrate it is possible to confuse an inexperienced analyst.</p><h1 id="2b9b" class="he hf ct ea hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib dq">How is Reflective Code Loading Used by Threat Groups?</h1><p id="4efb" class="ic id ct ie b if ig hj ih ii ij hn ik il im in io ip iq ir is it iu iv iw ix cl dq">APT threat group TeamTNT has been using the ezuri loader in the wild to deploy malware. TeamTNT is well known for targeting container and cloud environments. We recommend the readers to this blog from <a class="el hd" href="https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader" rel="noopener ugc nofollow" target="_blank">AT&amp;T cybersecurity lab</a> for a detailed analysis of the malware.</p><p id="e8ca" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">The ezuri loader is an<a class="el hd" href="https://github.com/guitmz/ezuri" rel="noopener ugc nofollow" target="_blank"> open source project</a> that uses the reflective code loading technique we described above. The loader contains a decryption routine before it loads the actual payload. At the actual loading stage, it uses the same technique:</p><figure class="gr gs gt gu gv gw bx by paragraph-image"><div role="button" tabindex="0" class="jr js jt ju aj jv"><div class="bx by kp"><div class="kb s jt jd"><div class="kq kd s"><div class="jw jx t u v jy aj bb jz ka"><img alt="" class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/60/0*OCKewHBxQrtbH9HI?q=20" width="700" height="418" role="presentation"/></div><img alt="" class="jw jx t u v jy aj c" width="700" height="418" role="presentation"/><noscript><img alt="" class="t u v jy aj" src="https://miro.medium.com/max/1400/0*OCKewHBxQrtbH9HI" width="700" height="418" srcSet="https://miro.medium.com/max/552/0*OCKewHBxQrtbH9HI 276w, https://miro.medium.com/max/1104/0*OCKewHBxQrtbH9HI 552w, https://miro.medium.com/max/1280/0*OCKewHBxQrtbH9HI 640w, https://miro.medium.com/max/1400/0*OCKewHBxQrtbH9HI 700w" sizes="700px" role="presentation"/></noscript></div></div></div></div></figure><h1 id="adba" class="he hf ct ea hg hh hi hj hk hl hm hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib dq">Conclusion:</h1><p id="bd63" class="ic id ct ie b if ig hj ih ii ij hn ik il im in io ip iq ir is it iu iv iw ix cl dq">Reflective code loading using anonymous files in Linux is being used by the threat actors actively. Its fileless nature can bypass security tools that are not able to detect and respond to this behavior. MITRE ATT&amp;CK framework has adopted this technique as part of its latest standard.</p><p id="7780" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">Cloud security teams should obtain the capability to detect and respond to such threats and focus on the application behavior sequences. To learn more, please check the <a class="el hd" href="https://rex-11050.medium.com/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014" rel="noopener">second part</a> of this blog.</p><p id="a311" class="ic id ct ie b if iy hj ih ii iz hn ik il ja in io ip jb ir is it jc iv iw ix cl dq">Feel free to reach out with any questions you may have through <a class="el hd" href="https://www.confluera.com/contact" rel="noopener ugc nofollow" target="_blank">contact</a>.</p></div></div></section></div></div></article><div class="jw ck ks kz aj la u kx lb" data-test-id="post-sidebar"><div class="n p"><div class="ab ac ae af ag ah ai aj"><div class="lc n ld"><div class="ck"><div><div class="le s"><a class="el em en eo ep eq er es bg et ft fu ev ew ex" href="/confluera-engineering?source=post_sidebar--------------------------post_sidebar--------------" rel="noopener follow"><h2 class="ea hg kj ec cs dq cl">Confluera Engineering</h2></a><div class="lf lg s"><p class="ea b eb ec bb lh eg eh li ej ek ge">Confluera Engineering Blog</p></div><div class="fn" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div><div class="lj ax aj n o lk ll"><div class="lm n"><div class="n o lk"><div class="jt ln lo lp lq lr ls"><span><a class="el em en eo ep eq er es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fconfluera-engineering%2Fda7da34ed301&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=post_sidebar-----da7da34ed301---------------------clap_sidebar--------------"><div class="es lt lu lv lw lx ly ls r lz ma"><svg width="29" height="29" aria-label="clap"><g fill-rule="evenodd"><path d="M13.74 1l.76 2.97.76-2.97zM16.82 4.78l1.84-2.56-1.43-.47zM10.38 2.22l1.84 2.56-.41-3.03zM22.38 22.62a5.11 5.11 0 0 1-3.16 1.61l.49-.45c2.88-2.89 3.45-5.98 1.69-9.21l-1.1-1.94-.96-2.02c-.31-.67-.23-1.18.25-1.55a.84.84 0 0 1 .66-.16c.34.05.66.28.88.6l2.85 5.02c1.18 1.97 1.38 5.12-1.6 8.1M9.1 22.1l-5.02-5.02a1 1 0 0 1 .7-1.7 1 1 0 0 1 .72.3l2.6 2.6a.44.44 0 0 0 .63-.62L6.1 15.04l-1.75-1.75a1 1 0 1 1 1.41-1.41l4.15 4.15a.44.44 0 0 0 .63 0 .44.44 0 0 0 0-.62L6.4 11.26l-1.18-1.18a1 1 0 0 1 0-1.4 1.02 1.02 0 0 1 1.41 0l1.18 1.16L11.96 14a.44.44 0 0 0 .62 0 .44.44 0 0 0 0-.63L8.43 9.22a.99.99 0 0 1-.3-.7.99.99 0 0 1 .3-.7 1 1 0 0 1 1.41 0l7 6.98a.44.44 0 0 0 .7-.5l-1.35-2.85c-.31-.68-.23-1.19.25-1.56a.85.85 0 0 1 .66-.16c.34.06.66.28.88.6L20.63 15c1.57 2.88 1.07 5.54-1.55 8.16a5.62 5.62 0 0 1-5.06 1.65 9.35 9.35 0 0 1-4.93-2.72zM13 6.98l2.56 2.56c-.5.6-.56 1.41-.15 2.28l.26.56-4.25-4.25a.98.98 0 0 1-.12-.45 1 1 0 0 1 .29-.7 1.02 1.02 0 0 1 1.41 0zm8.89 2.06c-.38-.56-.9-.92-1.49-1.01a1.74 1.74 0 0 0-1.34.33c-.38.29-.61.65-.71 1.06a2.1 2.1 0 0 0-1.1-.56 1.78 1.78 0 0 0-.99.13l-2.64-2.64a1.88 1.88 0 0 0-2.65 0 1.86 1.86 0 0 0-.48.85 1.89 1.89 0 0 0-2.67-.01 1.87 1.87 0 0 0-.5.9c-.76-.75-2-.75-2.7-.04a1.88 1.88 0 0 0 0 2.66c-.3.12-.61.29-.87.55a1.88 1.88 0 0 0 0 2.66l.62.62a1.88 1.88 0 0 0-.9 3.16l5.01 5.02c1.6 1.6 3.52 2.64 5.4 2.96a7.16 7.16 0 0 0 1.18.1c1.03 0 2-.25 2.9-.7A5.9 5.9 0 0 0 23 23.24c3.34-3.34 3.08-6.93 1.74-9.17l-2.87-5.04z"></path></g></svg></div></a></span></div><div class="s mb mc md me mf mg mh"><div class="mi"><p class="ea b eb ec ge"><button class="el em en eo ep eq er es bg et ft fu ev ew ex">10<!-- --> </button></p></div></div></div></div><div class="mj lm s"><div class="n"><button class="lw lu es"><div class="n o lk"><div class="n o"><div><div class="fn" role="tooltip" aria-hidden="false"><svg width="25" height="25" aria-label="responses" class="mk ml lw ma"><path d="M19.07 21.12a6.33 6.33 0 0 1-3.53-1.1 7.8 7.8 0 0 1-.7-.52c-.77.21-1.57.32-2.38.32-4.67 0-8.46-3.5-8.46-7.8C4 7.7 7.79 4.2 12.46 4.2c4.66 0 8.46 3.5 8.46 7.8 0 2.06-.85 3.99-2.4 5.45a6.28 6.28 0 0 0 1.14 2.59c.15.21.17.48.06.7a.69.69 0 0 1-.62.38h-.03zm0-1v.5l.03-.5h-.03zm-3.92-1.64l.21.2a6.09 6.09 0 0 0 3.24 1.54 7.14 7.14 0 0 1-.83-1.84 5.15 5.15 0 0 1-.16-.75 2.4 2.4 0 0 1-.02-.29v-.23l.18-.15a6.6 6.6 0 0 0 2.3-4.96c0-3.82-3.4-6.93-7.6-6.93-4.19 0-7.6 3.11-7.6 6.93 0 3.83 3.41 6.94 7.6 6.94.83 0 1.64-.12 2.41-.35l.28-.08z" fill-rule="evenodd"></path></svg></div></div></div></div></button></div></div><div class="mm s"></div></div></div></div></div></div></div></div><div class="jw ck kr ks kt ku kv kw kx ky"></div><div><div class="mn gw n ld p"><div class="n p"><div class="ab ac ae af ag cq ai aj"><div class="n mo"></div><div class="n o mo"></div><div class="mp s"><div class="n ds z"><div class="n o lk"><div class="mq s"><span class="s mr ms mt e d"><div class="n o lk"><div class="jt ln lo lp lq lr ls"><span><a class="el em en eo ep eq er es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fconfluera-engineering%2Fda7da34ed301&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=post_actions_footer-----da7da34ed301---------------------clap_footer--------------"><div class="es lt lu lv lw lx ly ls r lz ma"><svg width="25" height="25" viewBox="0 0 25 25" aria-label="clap"><g fill-rule="evenodd"><path d="M11.74 0l.76 2.97.76-2.97zM14.81 3.78l1.84-2.56-1.42-.47zM8.38 1.22l1.84 2.56L9.8.75zM20.38 21.62a5.11 5.11 0 0 1-3.16 1.61l.49-.45c2.88-2.89 3.45-5.98 1.69-9.21l-1.1-1.94-.96-2.02c-.31-.67-.23-1.18.25-1.55a.84.84 0 0 1 .66-.16c.34.05.66.28.88.6l2.85 5.02c1.18 1.97 1.38 5.12-1.6 8.1M7.1 21.1l-5.02-5.02a1 1 0 0 1 .7-1.7 1 1 0 0 1 .72.3l2.6 2.6a.44.44 0 0 0 .63-.62L4.1 14.04l-1.75-1.75a1 1 0 1 1 1.41-1.41l4.15 4.15a.44.44 0 0 0 .63 0 .44.44 0 0 0 0-.62L4.4 10.26 3.22 9.08a1 1 0 0 1 0-1.4 1.02 1.02 0 0 1 1.41 0l1.18 1.16L9.96 13a.44.44 0 0 0 .62 0 .44.44 0 0 0 0-.63L6.43 8.22a.99.99 0 0 1-.3-.7.99.99 0 0 1 .3-.7 1 1 0 0 1 1.41 0l7 6.98a.44.44 0 0 0 .7-.5l-1.35-2.85c-.31-.68-.23-1.19.25-1.56a.85.85 0 0 1 .66-.16c.34.06.66.28.88.6L18.63 14c1.57 2.88 1.07 5.54-1.55 8.16a5.62 5.62 0 0 1-5.06 1.65 9.35 9.35 0 0 1-4.93-2.72zM11 5.98l2.56 2.56c-.5.6-.56 1.41-.15 2.28l.26.56-4.25-4.25a.98.98 0 0 1-.12-.45 1 1 0 0 1 .29-.7 1.02 1.02 0 0 1 1.41 0zm8.89 2.06c-.38-.56-.9-.92-1.49-1.01a1.74 1.74 0 0 0-1.34.33c-.38.29-.61.65-.71 1.06a2.1 2.1 0 0 0-1.1-.56 1.78 1.78 0 0 0-.99.13l-2.64-2.64a1.88 1.88 0 0 0-2.65 0 1.86 1.86 0 0 0-.48.85 1.89 1.89 0 0 0-2.67-.01 1.87 1.87 0 0 0-.5.9c-.76-.75-2-.75-2.7-.04a1.88 1.88 0 0 0 0 2.66c-.3.12-.61.29-.87.55a1.88 1.88 0 0 0 0 2.66l.62.62a1.88 1.88 0 0 0-.9 3.16l5.01 5.02c1.6 1.6 3.52 2.64 5.4 2.96a7.16 7.16 0 0 0 1.18.1c1.03 0 2-.25 2.9-.7A5.9 5.9 0 0 0 21 22.24c3.34-3.34 3.08-6.93 1.74-9.17l-2.87-5.04z"></path></g></svg></div></a></span></div><div class="s mb mc md me mu mv mw"><div class="jt mx mi"><p class="ea b eb ec dq"><button class="el em en eo ep eq er es bg et ft fu ev ew ex">10<span class="s h g f my mz"> <!-- -->claps</span></button><span class="s h g f my mz"></span></p></div></div></div></span><span class="s h g f my mz"><div class="n o lk"><div class="jt ln lo lp lq lr ls"><span><a class="el em en eo ep eq er es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fconfluera-engineering%2Fda7da34ed301&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=post_actions_footer-----da7da34ed301---------------------clap_footer--------------"><div class="es lt lu lv lw lx ly ls r lz ma"><svg width="25" height="25" viewBox="0 0 25 25" aria-label="clap"><g fill-rule="evenodd"><path d="M11.74 0l.76 2.97.76-2.97zM14.81 3.78l1.84-2.56-1.42-.47zM8.38 1.22l1.84 2.56L9.8.75zM20.38 21.62a5.11 5.11 0 0 1-3.16 1.61l.49-.45c2.88-2.89 3.45-5.98 1.69-9.21l-1.1-1.94-.96-2.02c-.31-.67-.23-1.18.25-1.55a.84.84 0 0 1 .66-.16c.34.05.66.28.88.6l2.85 5.02c1.18 1.97 1.38 5.12-1.6 8.1M7.1 21.1l-5.02-5.02a1 1 0 0 1 .7-1.7 1 1 0 0 1 .72.3l2.6 2.6a.44.44 0 0 0 .63-.62L4.1 14.04l-1.75-1.75a1 1 0 1 1 1.41-1.41l4.15 4.15a.44.44 0 0 0 .63 0 .44.44 0 0 0 0-.62L4.4 10.26 3.22 9.08a1 1 0 0 1 0-1.4 1.02 1.02 0 0 1 1.41 0l1.18 1.16L9.96 13a.44.44 0 0 0 .62 0 .44.44 0 0 0 0-.63L6.43 8.22a.99.99 0 0 1-.3-.7.99.99 0 0 1 .3-.7 1 1 0 0 1 1.41 0l7 6.98a.44.44 0 0 0 .7-.5l-1.35-2.85c-.31-.68-.23-1.19.25-1.56a.85.85 0 0 1 .66-.16c.34.06.66.28.88.6L18.63 14c1.57 2.88 1.07 5.54-1.55 8.16a5.62 5.62 0 0 1-5.06 1.65 9.35 9.35 0 0 1-4.93-2.72zM11 5.98l2.56 2.56c-.5.6-.56 1.41-.15 2.28l.26.56-4.25-4.25a.98.98 0 0 1-.12-.45 1 1 0 0 1 .29-.7 1.02 1.02 0 0 1 1.41 0zm8.89 2.06c-.38-.56-.9-.92-1.49-1.01a1.74 1.74 0 0 0-1.34.33c-.38.29-.61.65-.71 1.06a2.1 2.1 0 0 0-1.1-.56 1.78 1.78 0 0 0-.99.13l-2.64-2.64a1.88 1.88 0 0 0-2.65 0 1.86 1.86 0 0 0-.48.85 1.89 1.89 0 0 0-2.67-.01 1.87 1.87 0 0 0-.5.9c-.76-.75-2-.75-2.7-.04a1.88 1.88 0 0 0 0 2.66c-.3.12-.61.29-.87.55a1.88 1.88 0 0 0 0 2.66l.62.62a1.88 1.88 0 0 0-.9 3.16l5.01 5.02c1.6 1.6 3.52 2.64 5.4 2.96a7.16 7.16 0 0 0 1.18.1c1.03 0 2-.25 2.9-.7A5.9 5.9 0 0 0 21 22.24c3.34-3.34 3.08-6.93 1.74-9.17l-2.87-5.04z"></path></g></svg></div></a></span></div><div class="s mb mc md me mu mv mw"><div class="mi"><p class="ea b eb ec ge"><button class="el em en eo ep eq er es bg et ft fu ev ew ex">10<!-- --> </button></p></div></div></div></span></div><div class="na n"><div class="n"><button class="lw lu es"><div class="n o lk"><div class="n o"><div><div class="fn" role="tooltip" aria-hidden="false"><svg width="29" height="29" aria-label="responses" class="mk ml lw ma nb"><path d="M21.27 20.06a9.04 9.04 0 0 0 2.75-6.68C24.02 8.21 19.67 4 14.1 4S4 8.21 4 13.38c0 5.18 4.53 9.39 10.1 9.39 1 0 2-.14 2.95-.41.28.25.6.49.92.7a7.46 7.46 0 0 0 4.19 1.3c.27 0 .5-.13.6-.35a.63.63 0 0 0-.05-.65 8.08 8.08 0 0 1-1.29-2.58 5.42 5.42 0 0 1-.15-.75zm-3.85 1.32l-.08-.28-.4.12a9.72 9.72 0 0 1-2.84.43c-4.96 0-9-3.71-9-8.27 0-4.55 4.04-8.26 9-8.26 4.95 0 8.77 3.71 8.77 8.27 0 2.25-.75 4.35-2.5 5.92l-.24.21v.32a5.59 5.59 0 0 0 .21 1.29c.19.7.49 1.4.89 2.08a6.43 6.43 0 0 1-2.67-1.06c-.34-.22-.88-.48-1.16-.74z"></path></svg></div></div></div></div></button></div></div></div><div class="n o"><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="el em en eo ep eq er es bg et ft fu ev ew ex" aria-label="Share on twitter"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm4.95-16.17a2.67 2.67 0 0 0-4.6 1.84c0 .2.03.41.05.62a7.6 7.6 0 0 1-5.49-2.82 3 3 0 0 0-.38 1.34c.02.94.49 1.76 1.2 2.23a2.53 2.53 0 0 1-1.2-.33v.04c0 1.28.92 2.36 2.14 2.62-.23.05-.46.08-.71.1l-.21-.02-.27-.03a2.68 2.68 0 0 0 2.48 1.86A5.64 5.64 0 0 1 9 19.38a7.62 7.62 0 0 0 4.1 1.19c4.9 0 7.58-4.07 7.57-7.58v-.39c.52-.36.97-.83 1.33-1.38-.48.23-1 .37-1.53.43.56-.33.96-.86 1.15-1.48-.5.31-1.07.53-1.67.66z" fill="#292929"></path></svg></button></div></div></div><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="el em en eo ep eq er es bg et ft fu ev ew ex" aria-label="Share on facebook"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm-1.23-6.03V15.6H12v-2.15h1.77v-1.6C13.77 10 14.85 9 16.42 9c.75 0 1.4.06 1.58.08v1.93h-1.09c-.85 0-1.02.43-1.02 1.05v1.38h2.04l-.27 2.15H15.9V21l-2.13-.03z" fill="#292929"></path></svg></button></div></div></div><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="el em en eo ep eq er es bg et ft fu ev ew ex" aria-label="Share on linkedin"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M27 15a12 12 0 1 1-24 0 12 12 0 0 1 24 0zm-14.61 5v-7.42h-2.26V20h2.26zm-1.13-8.44c.79 0 1.28-.57 1.28-1.28-.02-.73-.5-1.28-1.26-1.28-.78 0-1.28.55-1.28 1.28 0 .71.49 1.28 1.25 1.28h.01zM15.88 20h-2.5s.04-6.5 0-7.17h2.5v1.02l-.02.02h.02v-.02a2.5 2.5 0 0 1 2.25-1.18c1.64 0 2.87 1.02 2.87 3.22V20h-2.5v-3.83c0-.97-.36-1.62-1.26-1.62-.69 0-1.1.44-1.28.87-.06.15-.08.36-.08.58v4z" fill="#292929"></path></svg></button></div></div></div><div class="s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="el em en eo ep eq er es bg et ft fu ev ew ex"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zM9.29 16.28c-.2.36-.29.75-.29 1.17a2.57 2.57 0 0 0 .78 1.84l1.01.96c.53.5 1.17.75 1.92.75s1.38-.25 1.9-.75l1.2-1.15.75-.71.51-.5a2.51 2.51 0 0 0 .72-2.34.7.7 0 0 0-.03-.18 2.74 2.74 0 0 0-.23-.5v-.02l-.08-.14-.02-.03-.02-.01a.33.33 0 0 0-.07-.1c0-.02-.01-.03-.03-.05a.2.2 0 0 0-.03-.03l-.03-.04v-.01l-.02-.03-.04-.03a.85.85 0 0 1-.13-.13l-.43-.42-.06.06-.9.84-.05.09a.26.26 0 0 0-.03.1l.37.38c.04.03.08.07.1.11l.01.01.01.03.02.01.04.1.03.04.06.1v.02l.01.02c.03.1.05.2.05.33a1 1 0 0 1-.12.49c-.07.13-.15.22-.22.29l-.88.85-.61.57-.95.92c-.22.2-.5.3-.82.3-.31 0-.58-.1-.8-.3l-.98-.96a1.15 1.15 0 0 1-.3-.42 1.4 1.4 0 0 1-.04-.35c0-.1.01-.2.04-.3a1 1 0 0 1 .3-.49l1.5-1.46v-.24c0-.21 0-.42.04-.6a3.5 3.5 0 0 1 .92-1.72c-.41.1-.78.32-1.11.62l-.01.02-.01.01-2.46 2.33c-.2.21-.35.4-.44.6h-.02c0 .02 0 .02-.02.02v.02l-.01.01zm3.92-1.8a1.83 1.83 0 0 0 .02.97c0 .06 0 .13.02.19.06.17.14.34.22.5v.02l.06.12.02.03.01.02.08.1c0 .02.02.03.04.05l.08.1h.01c0 .01 0 .03.02.03l.14.14.43.41.08-.06.88-.84.05-.09.03-.1-.36-.37a.4.4 0 0 1-.12-.13v-.02l-.02-.02-.05-.09-.04-.04-.04-.1v-.02l-.02-.02a1.16 1.16 0 0 1 .06-.82c.09-.14.16-.24.23-.3l.9-.85.6-.58.93-.92c.23-.2.5-.3.82-.3a1.2 1.2 0 0 1 .82.3l1 .96c.13.15.23.29.28.42a1.43 1.43 0 0 1 0 .66c-.03.17-.12.33-.26.48l-1.54 1.45.02.25a3.28 3.28 0 0 1-.96 2.32 2.5 2.5 0 0 0 1.1-.62l.01-.01 2.46-2.34c.19-.2.35-.4.46-.6l.02-.02v-.02h.01a2.45 2.45 0 0 0 .21-1.82 2.53 2.53 0 0 0-.7-1.19l-1-.96a2.68 2.68 0 0 0-1.91-.75c-.75 0-1.38.25-1.9.76l-1.2 1.14-.76.72-.5.49c-.4.37-.64.83-.74 1.37z" fill="#292929"></path></svg></button></div></div></div><div class="gq s aw"></div></div></div></div></div></div><div><div class="n p"><div class="ab ac ae af ag cq ai aj"><div class="lj ax nc mp s nd z"><div class="s g"><div class="lj s"></div><div class="ne nf s jt"><span class="s ng am nh"><div class="s t ni nj"><a href="https://medium.com/confluera-engineering?source=follow_footer-----da7da34ed301-----------------------------------" rel="noopener follow"><img alt="Confluera Engineering" class="cd nk bn" src="https://miro.medium.com/fit/c/160/160/1*7tbfIVWetsgd4ZTsKMoyEA.png" width="80" height="80"/></a></div><span class="s"><div class="nl nm n nn"><div class="aj n o ds"><h2 class="ea hg no np cs dq"><a class="el em en eo ep eq er es bg et ft fu ev ew ex" href="/confluera-engineering?source=follow_footer-----da7da34ed301-----------------------------------" rel="noopener follow">Confluera Engineering</a></h2><div class="s g"><div class="fn" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div></div></div></span></span><div class="nl nq s nn az"><div class="nr s"><p class="ea b kj ns ge">Confluera engineering is not perfect, but we pursue perfection. We write our journey here.</p></div><div class="ay nt az"><div class="fn" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div></div></div></div><div class="ay az"><div class="nu s"><div class="n lk"><div class="nv s"><a href="https://rex-11050.medium.com/?source=follow_footer-----da7da34ed301-----------------------------------" rel="noopener follow"><img alt="Rex Guo" class="s dw nw nx" src="https://miro.medium.com/fit/c/80/80/1*oJssekvq2DlebIDSamLo-A.png" width="40" height="40"/></a></div><div class="ny s"><p class="ea b nz oa ob ge oc">Written by</p><div class="n lk"><h2 class="ea hg kj ec cs dq"><a class="el em en eo ep eq er es bg et ft fu ev ew ex" href="https://rex-11050.medium.com/?source=follow_footer-----da7da34ed301-----------------------------------" rel="noopener follow">Rex Guo</a></h2><div class="ny n"><span><button class="ea b ey ec ez fa fb fc fd fe ff et fg fh fi fj fk fl fm ca fn fo">Follow</button></span><div class="fp s"><div><div><div class="fn" role="tooltip" aria-hidden="false"><div class="s"><span><a class="el em en eo ep eq er es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=%2F_%2Fapi%2Fsubscriptions%2Fnewsletters%2Fbf1ea97912c3&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301&amp;newsletterV3=138f8633036e&amp;newsletterV3Id=bf1ea97912c3&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=follow_footer-----da7da34ed301---------------------subscribe_user--------------"><button class="ea b eb ec fv es fw fx fy fz ga gb gc gd fg fh fi fj fk fl fm ca fn fo" aria-label="Subscribe"><svg width="23" height="23" viewBox="0 0 23 23" fill="none" class="fq fr fs"><path stroke-linecap="round" d="M14.58 6.89h3.92M16.39 9V5.08M11.62 7.04H7a1 1 0 0 0-1 1v7.13a1 1 0 0 0 1 1h8.54a1 1 0 0 0 1-1v-3.21"></path><path d="M6 8.44l5.27 3.87 2.81-2.11" stroke-linecap="round"></path></svg></button></a></span></div></div></div></div></div></div></div><div class="od s"><p class="ea b eb ec ge">Redefining security at Lacework | Ex-Cisco Acquisition | Ex-Intel Security | Blackhat/Defcon speaker | @Xiaofei_REX</p></div></div></div><div class="nu s"><div class="n lk"><a href="https://medium.com/confluera-engineering?source=follow_footer-----da7da34ed301-----------------------------------" rel="noopener follow"><img alt="Confluera Engineering" class="cd nx nw" src="https://miro.medium.com/fit/c/80/80/1*7tbfIVWetsgd4ZTsKMoyEA.png" width="40" height="40"/></a><div class="ny s"><div class="n lk"><h2 class="ea hg kj ec cs dq"><a class="el em en eo ep eq er es bg et ft fu ev ew ex" href="/confluera-engineering?source=follow_footer-----da7da34ed301-----------------------------------" rel="noopener follow">Confluera Engineering</a></h2><div class="ny s"><div class="fn" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div></div><div class="od s"><p class="ea b eb ec ge">Confluera engineering is not perfect, but we pursue perfection. We write our journey here.</p></div></div></div></div></div></div></div></div></div><div class="s cb z"><div class="n p"><div class="ab ac ae af ag ah ai aj"><div class="oe of s"><div class="og oh oi of s oj ok"><h2 class="ea hg ol om hk on oo ho op oq hs or os hw ot ou ia dq">More From Medium</h2></div><div class="bk n lk mo ov ow ox oy oz pa pb pc pd pe pf pg ph pi pj"><div class="pk pl pm pn po pp pq pr ps pt pu pv pw px py pz qa qb qc qd qe"><div class="qf qg s"><div class="aj jy"><div class="n ds"><div class="s be mc me qh"><div class="qi s"><h2 class="ea hg qj qk hk ql qm ho qn qo hs qp qq hw qr qs ia dq"><a rel="noopener follow" href="/gdg-lviv/hoverboard-v2-0-0-released-today-a3729aa074e6?source=post_internal_links---------0-------------------------------">🎉 Hoverboard v2.0.0 released today!</a></h2></div><div class="o n"><div></div><div class="aj s"><div class="n"><div style="flex:1"><span class="ea b eb ec dq"><div class="bo n o ee"><span class="ea b ey ec dq"><a class="el em en eo ep eq er es bg et eu ev ew ex" rel="noopener follow" href="/@ozasadnyy?source=post_internal_links---------0-------------------------------">Oleh Zasadnyy</a><span> <!-- -->in<!-- --> <a class="el em en eo ep eq er es bg et eu ev ew ex" href="/gdg-lviv?source=post_internal_links---------0-------------------------------" rel="noopener follow">GDG Lviv</a></span></span></div></span></div></div></div></div></div><div class="ny qt s qu qv"><a class="el em en eo ep eq er es bg et ft fu ev ew ex s" rel="noopener follow" href="/gdg-lviv/hoverboard-v2-0-0-released-today-a3729aa074e6?source=post_internal_links---------0-------------------------------"><div class="kb s jt jd"><div class="qw kd s"><div class="jw jx t u v jy aj bb jz ka"><img class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/60/1*SVVrNQptMHSbWkbbMmiHGg.png?q=20" width="70" height="70" role="presentation"/></div><img class="jw jx qx qy qz ra rb rc rd re rf rg c" width="70" height="70" role="presentation"/><noscript><img class="qx qy qz ra rb rc rd re rf rg" src="https://miro.medium.com/fit/c/140/140/1*SVVrNQptMHSbWkbbMmiHGg.png" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*SVVrNQptMHSbWkbbMmiHGg.png 48w, https://miro.medium.com/fit/c/140/140/1*SVVrNQptMHSbWkbbMmiHGg.png 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="pk pl pm pn po pp pq pr ps pt pu pv pw px py pz qa qb qc qd qe"><div class="qf qg s"><div class="aj jy"><div class="n ds"><div class="s be mc me qh"><div class="qi s"><h2 class="ea hg qj qk hk ql qm ho qn qo hs qp qq hw qr qs ia dq"><a rel="noopener follow" href="/analytics-vidhya/a-guide-to-interactive-data-visualizations-with-python-plotly-c1b949eeb1f?source=post_internal_links---------1-------------------------------">A Guide to Interactive Data Visualizations with Python Plotly</a></h2></div><div class="o n"><div></div><div class="aj s"><div class="n"><div style="flex:1"><span class="ea b eb ec dq"><div class="bo n o ee"><span class="ea b ey ec dq"><a class="el em en eo ep eq er es bg et eu ev ew ex" href="https://ichenic.medium.com/?source=post_internal_links---------1-------------------------------" rel="noopener follow">ichen</a><span> <!-- -->in<!-- --> <a class="el em en eo ep eq er es bg et eu ev ew ex" href="/analytics-vidhya?source=post_internal_links---------1-------------------------------" rel="noopener follow">Analytics Vidhya</a></span></span></div></span></div></div></div></div></div><div class="ny qt s qu qv"><a class="el em en eo ep eq er es bg et ft fu ev ew ex s" rel="noopener follow" href="/analytics-vidhya/a-guide-to-interactive-data-visualizations-with-python-plotly-c1b949eeb1f?source=post_internal_links---------1-------------------------------"><div class="kb s jt jd"><div class="qw kd s"><div class="jw jx t u v jy aj bb jz ka"><img class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/60/0*cm66G2k46LCYCWtA?q=20" width="70" height="70" role="presentation"/></div><img class="jw jx qx qy qz ra rb rc rd re rf rg c" width="70" height="70" role="presentation"/><noscript><img class="qx qy qz ra rb rc rd re rf rg" src="https://miro.medium.com/fit/c/140/140/0*cm66G2k46LCYCWtA" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/0*cm66G2k46LCYCWtA 48w, https://miro.medium.com/fit/c/140/140/0*cm66G2k46LCYCWtA 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="pk pl pm pn po pp pq pr ps pt pu pv pw px py pz qa qb qc qd qe"><div class="qf qg s"><div class="aj jy"><div class="n ds"><div class="s be mc me qh"><div class="qi s"><h2 class="ea hg qj qk hk ql qm ho qn qo hs qp qq hw qr qs ia dq"><a rel="noopener follow" href="/@thoufeeq.musthafa/mysql-indexing-basics-2c7937a01266?source=post_internal_links---------2-------------------------------">MySQL — Indexing basics</a></h2></div><div class="o n"><div></div><div class="aj s"><div class="n"><div style="flex:1"><span class="ea b eb ec dq"><div class="bo n o ee"><span class="ea b ey ec dq"><a class="el em en eo ep eq er es bg et eu ev ew ex" rel="noopener follow" href="/@thoufeeq.musthafa?source=post_internal_links---------2-------------------------------">Mohamed Thoufeeq</a></span></div></span></div></div></div></div></div><div class="ny qt s qu qv"><a class="el em en eo ep eq er es bg et ft fu ev ew ex s" rel="noopener follow" href="/@thoufeeq.musthafa/mysql-indexing-basics-2c7937a01266?source=post_internal_links---------2-------------------------------"><div class="kb s jt jd"><div class="qw kd s"><div class="jw jx t u v jy aj bb jz ka"><img class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/60/1*ILlbBj3_5B4sh4S7bEWdfA.png?q=20" width="70" height="70" role="presentation"/></div><img class="jw jx qx qy qz ra rb rc rd re rf rg c" width="70" height="70" role="presentation"/><noscript><img class="qx qy qz ra rb rc rd re rf rg" src="https://miro.medium.com/fit/c/140/140/1*ILlbBj3_5B4sh4S7bEWdfA.png" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*ILlbBj3_5B4sh4S7bEWdfA.png 48w, https://miro.medium.com/fit/c/140/140/1*ILlbBj3_5B4sh4S7bEWdfA.png 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="pk pl pm pn po pp pq pr ps pt pu pv pw px py pz qa qb qc qd qe"><div class="qf qg s"><div class="aj jy"><div class="n ds"><div class="s be mc me qh"><div class="qi s"><h2 class="ea hg qj qk hk ql qm ho qn qo hs qp qq hw qr qs ia dq"><a href="https://blog.helium.com/proof-of-coverage-and-consensus-group-improvements-call-for-discussion-aaffc659b655?source=post_internal_links---------3-------------------------------" rel="noopener follow">Proof-of-Coverage and Consensus Group Improvements: Call for Discussion</a></h2></div><div class="o n"><div></div><div class="aj s"><div class="n"><div style="flex:1"><span class="ea b eb ec dq"><div class="bo n o ee"><span class="ea b ey ec dq"><a class="el em en eo ep eq er es bg et eu ev ew ex" rel="noopener follow" href="/@abhay?source=post_internal_links---------3-------------------------------">Abhay Kumar</a><span> <!-- -->in<!-- --> <a class="el em en eo ep eq er es bg et eu ev ew ex" href="https://blog.helium.com/?source=post_internal_links---------3-------------------------------" rel="noopener follow">The Helium Blog</a></span></span></div></span></div></div></div></div></div><div class="ny qt s qu qv"><a class="el em en eo ep eq er es bg et ft fu ev ew ex s" href="https://blog.helium.com/proof-of-coverage-and-consensus-group-improvements-call-for-discussion-aaffc659b655?source=post_internal_links---------3-------------------------------" rel="noopener follow"><div class="kb s jt jd"><div class="qw kd s"><div class="jw jx t u v jy aj bb jz ka"><img class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/60/1*0cMd9NRa8My1I_q01NBECw.png?q=20" width="70" height="70" role="presentation"/></div><img class="jw jx qx qy qz ra rb rc rd re rf rg c" width="70" height="70" role="presentation"/><noscript><img class="qx qy qz ra rb rc rd re rf rg" src="https://miro.medium.com/fit/c/140/140/1*0cMd9NRa8My1I_q01NBECw.png" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*0cMd9NRa8My1I_q01NBECw.png 48w, https://miro.medium.com/fit/c/140/140/1*0cMd9NRa8My1I_q01NBECw.png 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="pk pl pm pn po pp pq pr ps pt pu pv pw px py pz qa qb qc qd qe"><div class="qf qg s"><div class="aj jy"><div class="n ds"><div class="s be mc me qh"><div class="qi s"><h2 class="ea hg qj qk hk ql qm ho qn qo hs qp qq hw qr qs ia dq"><a rel="noopener follow" href="/vicara/integrating-gesture-controls-into-your-applications-kai-sdk-19e1481ef8d?source=post_internal_links---------4-------------------------------">Integrating Gesture Controls into your Applications — Kai SDK</a></h2></div><div class="o n"><div></div><div class="aj s"><div class="n"><div style="flex:1"><span class="ea b eb ec dq"><div class="bo n o ee"><span class="ea b ey ec dq"><a class="el em en eo ep eq er es bg et eu ev ew ex" href="https://sanskarbiswal.medium.com/?source=post_internal_links---------4-------------------------------" rel="noopener follow">Sanskar Biswal</a><span> <!-- -->in<!-- --> <a class="el em en eo ep eq er es bg et eu ev ew ex" href="/vicara?source=post_internal_links---------4-------------------------------" rel="noopener follow">Vicara</a></span></span></div></span></div></div></div></div></div><div class="ny qt s qu qv"><a class="el em en eo ep eq er es bg et ft fu ev ew ex s" rel="noopener follow" href="/vicara/integrating-gesture-controls-into-your-applications-kai-sdk-19e1481ef8d?source=post_internal_links---------4-------------------------------"><div class="kb s jt jd"><div class="qw kd s"><div class="jw jx t u v jy aj bb jz ka"><img class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/60/1*hQjYXqpt1QpWG_Xbg6GgEA.jpeg?q=20" width="70" height="70" role="presentation"/></div><img class="jw jx qx qy qz ra rb rc rd re rf rg c" width="70" height="70" role="presentation"/><noscript><img class="qx qy qz ra rb rc rd re rf rg" src="https://miro.medium.com/fit/c/140/140/1*hQjYXqpt1QpWG_Xbg6GgEA.jpeg" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*hQjYXqpt1QpWG_Xbg6GgEA.jpeg 48w, https://miro.medium.com/fit/c/140/140/1*hQjYXqpt1QpWG_Xbg6GgEA.jpeg 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="pk pl pm pn po pp pq pr ps pt pu pv pw px py pz qa qb qc qd qe"><div class="qf qg s"><div class="aj jy"><div class="n ds"><div class="s be mc me qh"><div class="qi s"><h2 class="ea hg qj qk hk ql qm ho qn qo hs qp qq hw qr qs ia dq"><a rel="noopener follow" href="/@pentadactylisms/what-they-distribute-this-ladies-site-is-fundamentally-yet-as-well-this-e5d23dc8120b?source=post_internal_links---------5-------------------------------">What they distribute: This ladies’ site is fundamentally, yet as well this</a></h2></div><div class="o n"><div></div><div class="aj s"><div class="n"><div style="flex:1"><span class="ea b eb ec dq"><div class="bo n o ee"><span class="ea b ey ec dq"><a class="el em en eo ep eq er es bg et eu ev ew ex" rel="noopener follow" href="/@pentadactylisms?source=post_internal_links---------5-------------------------------">Pentadactylisms</a></span></div></span></div></div></div></div></div><div class="ny qt s qu qv"><a class="el em en eo ep eq er es bg et ft fu ev ew ex s" rel="noopener follow" href="/@pentadactylisms/what-they-distribute-this-ladies-site-is-fundamentally-yet-as-well-this-e5d23dc8120b?source=post_internal_links---------5-------------------------------"><div class="kb s jt jd"><div class="qw kd s"><div class="jw jx t u v jy aj bb jz ka"><img class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/60/1*hn4v1tCaJy7cWMyb0bpNpQ.png?q=20" width="70" height="70" role="presentation"/></div><img class="jw jx qx qy qz ra rb rc rd re rf rg c" width="70" height="70" role="presentation"/><noscript><img class="qx qy qz ra rb rc rd re rf rg" src="https://miro.medium.com/fit/c/140/140/1*hn4v1tCaJy7cWMyb0bpNpQ.png" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*hn4v1tCaJy7cWMyb0bpNpQ.png 48w, https://miro.medium.com/fit/c/140/140/1*hn4v1tCaJy7cWMyb0bpNpQ.png 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="pk pl pm pn po pp pq pr ps pt pu pv pw px py pz qa qb qc qd qe"><div class="qf qg s"><div class="aj jy"><div class="n ds"><div class="s be mc me qh"><div class="qi s"><h2 class="ea hg qj qk hk ql qm ho qn qo hs qp qq hw qr qs ia dq"><a href="https://matteolopiccolo.medium.com/create-a-gameobjects-and-applying-materials-746ff022079e?source=post_internal_links---------6-------------------------------" rel="noopener follow">Create a GameObjects and applying materials</a></h2></div><div class="o n"><div></div><div class="aj s"><div class="n"><div style="flex:1"><span class="ea b eb ec dq"><div class="bo n o ee"><span class="ea b ey ec dq"><a class="el em en eo ep eq er es bg et eu ev ew ex" href="https://matteolopiccolo.medium.com/?source=post_internal_links---------6-------------------------------" rel="noopener follow">Matteo Lo Piccolo</a></span></div></span></div></div></div></div></div><div class="ny qt s qu qv"><a class="el em en eo ep eq er es bg et ft fu ev ew ex s" href="https://matteolopiccolo.medium.com/create-a-gameobjects-and-applying-materials-746ff022079e?source=post_internal_links---------6-------------------------------" rel="noopener follow"><div class="kb s jt jd"><div class="qw kd s"><div class="jw jx t u v jy aj bb jz ka"><img class="t u v jy aj ke kf kg" src="https://miro.medium.com/freeze/max/60/1*sNltK5QVywkYNLBMnbfcgQ.gif?q=20" width="70" height="70" role="presentation"/></div><img class="jw jx qx qy qz ra rb rc rd re rf rg c" width="70" height="70" role="presentation"/><noscript><img class="qx qy qz ra rb rc rd re rf rg" src="https://miro.medium.com/fit/c/140/140/1*sNltK5QVywkYNLBMnbfcgQ.gif" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*sNltK5QVywkYNLBMnbfcgQ.gif 48w, https://miro.medium.com/fit/c/140/140/1*sNltK5QVywkYNLBMnbfcgQ.gif 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div><div class="pk pl pm pn po pp pq pr ps pt pu pv pw px py pz qa qb qc qd qe"><div class="qf qg s"><div class="aj jy"><div class="n ds"><div class="s be mc me qh"><div class="qi s"><h2 class="ea hg qj qk hk ql qm ho qn qo hs qp qq hw qr qs ia dq"><a rel="noopener follow" href="/@apatial.27/day-26-of-31-day-may-leetcode-challenge-340eceab6aab?source=post_internal_links---------7-------------------------------">Day 26 of 31-Day May LeetCode Challenge</a></h2></div><div class="o n"><div></div><div class="aj s"><div class="n"><div style="flex:1"><span class="ea b eb ec dq"><div class="bo n o ee"><span class="ea b ey ec dq"><a class="el em en eo ep eq er es bg et eu ev ew ex" rel="noopener follow" href="/@apatial.27?source=post_internal_links---------7-------------------------------">Aanchal Patial</a></span></div></span></div></div></div></div></div><div class="ny qt s qu qv"><a class="el em en eo ep eq er es bg et ft fu ev ew ex s" rel="noopener follow" href="/@apatial.27/day-26-of-31-day-may-leetcode-challenge-340eceab6aab?source=post_internal_links---------7-------------------------------"><div class="kb s jt jd"><div class="qw kd s"><div class="jw jx t u v jy aj bb jz ka"><img class="t u v jy aj ke kf kg" src="https://miro.medium.com/max/60/1*EP8hPeYQka8ZxuVCI1TLpA.png?q=20" width="70" height="70" role="presentation"/></div><img class="jw jx qx qy qz ra rb rc rd re rf rg c" width="70" height="70" role="presentation"/><noscript><img class="qx qy qz ra rb rc rd re rf rg" src="https://miro.medium.com/fit/c/140/140/1*EP8hPeYQka8ZxuVCI1TLpA.png" width="70" height="70" srcSet="https://miro.medium.com/fit/c/96/140/1*EP8hPeYQka8ZxuVCI1TLpA.png 48w, https://miro.medium.com/fit/c/140/140/1*EP8hPeYQka8ZxuVCI1TLpA.png 70w" sizes="70px" role="presentation"/></noscript></div></div></a></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><script>window.__BUILD_ID__="main-20211221-164410-1a06fba482"</script><script>window.__GRAPHQL_URI__ = "https://medium.com/_/graphql"</script><script>window.__PRELOADED_STATE__ = {"algolia":{"queries":{}},"auroraPage":{"isAuroraPageEnabled":false},"bookReader":{"assets":{},"reader":{"currentAsset":null,"currentGFI":null,"settingsPanelIsOpen":false,"settings":{"fontFamily":"CHARTER","fontScale":"M","publisherStyling":false,"textAlignment":"start","theme":"White","lineSpacing":0,"wordSpacing":0,"letterSpacing":0},"internalNavCounter":0,"currentSelection":null}},"cache":{"experimentGroupSet":true,"reason":"","group":"enabled","tags":["group-edgeCachePosts","post-da7da34ed301","user-138f8633036e","collection-7b3e2b415688"],"serverVariantState":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","middlewareEnabled":true,"cacheStatus":"DYNAMIC","shouldUseCache":true,"vary":[]},"client":{"hydrated":false,"isUs":false,"isNativeMedium":false,"isSafariMobile":false,"isSafari":false,"routingEntity":{"type":"DEFAULT","explicit":false},"viewerIsBot":false},"debug":{"requestId":"11c7f164-74b3-4664-9d6e-981706dc8330","hybridDevServices":[],"showBookReaderDebugger":false,"originalSpanCarrier":{"ot-tracer-spanid":"2639ddc633e65cae","ot-tracer-traceid":"2413cfeae1b70bff","ot-tracer-sampled":"true"}},"multiVote":{"clapsPerPost":{}},"navigation":{"branch":{"show":null,"hasRendered":null,"blockedByCTA":false},"hideGoogleOneTap":false,"hasRenderedGoogleOneTap":null,"hasRenderedAlternateUserBanner":null,"currentLocation":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering\u002Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301","host":"medium.com","hostname":"medium.com","referrer":"","hasSetReferrer":false,"susiModal":{"step":null,"operation":"register"},"postRead":false,"queryString":"","currentHash":""},"tracing":{},"userOnboarding":{"showFirstBookPurchaseTooltip":false},"config":{"nodeEnv":"production","version":"main-20211221-164410-1a06fba482","isTaggedVersion":false,"isMediumDotApp":false,"isMediumDotAppVariant":false,"target":"production","productName":"Medium","publicUrl":"https:\u002F\u002Fcdn-client.medium.com\u002Flite","authDomain":"medium.com","authGoogleClientId":"216296035834-k1k6qe060s2tp2a2jam4ljdcms00sttg.apps.googleusercontent.com","favicon":"production","glyphUrl":"https:\u002F\u002Fglyph.medium.com","branchKey":"key_live_ofxXr2qTrrU9NqURK8ZwEhknBxiI6KBm","lightStep":{"name":"lite-web","host":"lightstep.medium.systems","token":"ce5be895bef60919541332990ac9fef2","appVersion":"main-20211221-164410-1a06fba482","disableClientReporting":true},"algolia":{"appId":"MQ57UUUQZ2","apiKeySearch":"394474ced050e3911ae2249ecc774921","indexPrefix":"medium_","host":"-dsn.algolia.net"},"recaptchaKey":"6Lfc37IUAAAAAKGGtC6rLS13R1Hrw_BqADfS1LRk","recaptcha3Key":"6Lf8R9wUAAAAABMI_85Wb8melS7Zj6ziuf99Yot5","datadog":{"applicationId":"6702d87d-a7e0-42fe-bbcb-95b469547ea0","clientToken":"pub853ea8d17ad6821d9f8f11861d23dfed","rumToken":"pubf9cc52896502b9413b68ba36fc0c7162","context":{"deployment":{"target":"production","tag":"main-20211221-164410-1a06fba482","commit":"1a06fba482b2db140c3b32d276409078993c91f6"}},"datacenter":"us"},"googleAnalyticsCode":"UA-24232453-2","googlePay":{"apiVersion":"2","apiVersionMinor":"0","merchantId":"BCR2DN6TV7EMTGBM","merchantName":"Medium","instanceMerchantId":"13685562959212738550"},"applePay":{"version":3},"signInWallCustomDomainCollectionIds":["3a8144eabfe3","336d898217ee","61061eb0c96b","138adf9c44c","819cc2aaeee0"],"mediumOwnedAndOperatedCollectionIds":["8a9336e5bb4","b7e45b22fec3","193b68bd4fba","8d6b8a439e32","54c98c43354d","3f6ecf56618","d944778ce714","92d2092dc598","ae2a65f35510","1285ba81cada","544c7006046e","fc8964313712","40187e704f1c","88d9857e584e","7b6769f2748b","bcc38c8f6edf","cef6983b292","cb8577c9149e","444d13b52878","713d7dbc99b0","ef8e90590e66","191186aaafa0","55760f21cdc5","9dc80918cc93","bdc4052bbdba","8ccfed20cbb2"],"tierOneDomains":["medium.com","thebolditalic.com","arcdigital.media","towardsdatascience.com","uxdesign.cc","codeburst.io","psiloveyou.xyz","writingcooperative.com","entrepreneurshandbook.co","prototypr.io","betterhumans.coach.me","theascent.pub"],"topicsToFollow":["d61cf867d93f","8a146bc21b28","1eca0103fff3","4d562ee63426","aef1078a3ef5","e15e46793f8d","6158eb913466","55f1c20aba7a","3d18b94f6858","4861fee224fd","63c6f1f93ee","1d98b3a9a871","decb52b64abf","ae5d4995e225","830cded25262"],"topicToTagMappings":{"accessibility":"accessibility","addiction":"addiction","android-development":"android-development","art":"art","artificial-intelligence":"artificial-intelligence","astrology":"astrology","basic-income":"basic-income","beauty":"beauty","biotech":"biotech","blockchain":"blockchain","books":"books","business":"business","cannabis":"cannabis","cities":"cities","climate-change":"climate-change","comics":"comics","coronavirus":"coronavirus","creativity":"creativity","cryptocurrency":"cryptocurrency","culture":"culture","cybersecurity":"cybersecurity","data-science":"data-science","design":"design","digital-life":"digital-life","disability":"disability","economy":"economy","education":"education","equality":"equality","family":"family","feminism":"feminism","fiction":"fiction","film":"film","fitness":"fitness","food":"food","freelancing":"freelancing","future":"future","gadgets":"gadgets","gaming":"gaming","gun-control":"gun-control","health":"health","history":"history","humor":"humor","immigration":"immigration","ios-development":"ios-development","javascript":"javascript","justice":"justice","language":"language","leadership":"leadership","lgbtqia":"lgbtqia","lifestyle":"lifestyle","machine-learning":"machine-learning","makers":"makers","marketing":"marketing","math":"math","media":"media","mental-health":"mental-health","mindfulness":"mindfulness","money":"money","music":"music","neuroscience":"neuroscience","nonfiction":"nonfiction","outdoors":"outdoors","parenting":"parenting","pets":"pets","philosophy":"philosophy","photography":"photography","podcasts":"podcast","poetry":"poetry","politics":"politics","privacy":"privacy","product-management":"product-management","productivity":"productivity","programming":"programming","psychedelics":"psychedelics","psychology":"psychology","race":"race","relationships":"relationships","religion":"religion","remote-work":"remote-work","san-francisco":"san-francisco","science":"science","self":"self","self-driving-cars":"self-driving-cars","sexuality":"sexuality","social-media":"social-media","society":"society","software-engineering":"software-engineering","space":"space","spirituality":"spirituality","sports":"sports","startups":"startup","style":"style","technology":"technology","transportation":"transportation","travel":"travel","true-crime":"true-crime","tv":"tv","ux":"ux","venture-capital":"venture-capital","visual-design":"visual-design","work":"work","world":"world","writing":"writing"},"defaultImages":{"avatar":{"imageId":"1*dmbNkD5D-u45r44go_cf0g.png","height":150,"width":150},"orgLogo":{"imageId":"1*OMF3fSqH8t4xBJ9-6oZDZw.png","height":106,"width":545},"postLogo":{"imageId":"1*kFrc4tBFM_tCis-2Ic87WA.png","height":810,"width":1440},"postPreviewImage":{"imageId":"1*hn4v1tCaJy7cWMyb0bpNpQ.png","height":386,"width":579}},"collectionStructuredData":{"8d6b8a439e32":{"name":"Elemental","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fcdn-images-1.medium.com\u002Fmax\u002F980\u002F1*9ygdqoKprhwuTVKUM0DLPA@2x.png","width":980,"height":159}}},"3f6ecf56618":{"name":"Forge","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fcdn-images-1.medium.com\u002Fmax\u002F596\u002F1*uULpIlImcO5TDuBZ6lm7Lg@2x.png","width":596,"height":183}}},"ae2a65f35510":{"name":"GEN","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F264\u002F1*RdVZMdvfV3YiZTw6mX7yWA.png","width":264,"height":140}}},"88d9857e584e":{"name":"LEVEL","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F540\u002F1*JqYMhNX6KNNb2UlqGqO2WQ.png","width":540,"height":108}}},"7b6769f2748b":{"name":"Marker","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fcdn-images-1.medium.com\u002Fmax\u002F383\u002F1*haCUs0wF6TgOOvfoY-jEoQ@2x.png","width":383,"height":92}}},"444d13b52878":{"name":"OneZero","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F540\u002F1*cw32fIqCbRWzwJaoQw6BUg.png","width":540,"height":123}}},"8ccfed20cbb2":{"name":"Zora","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F540\u002F1*tZUQqRcCCZDXjjiZ4bDvgQ.png","width":540,"height":106}}}},"embeddedPostIds":{"coronavirus":"cd3010f9d81f"},"sharedCdcMessaging":{"COVID_APPLICABLE_TAG_SLUGS":[],"COVID_APPLICABLE_TOPIC_NAMES":[],"COVID_APPLICABLE_TOPIC_NAMES_FOR_TOPIC_PAGE":[],"COVID_MESSAGES":{"tierA":{"text":"For more information on the novel coronavirus and Covid-19, visit cdc.gov.","markups":[{"start":66,"end":73,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]},"tierB":{"text":"Anyone can publish on Medium per our Policies, but we don’t fact-check every story. For more info about the coronavirus, see cdc.gov.","markups":[{"start":37,"end":45,"href":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Fcategories\u002F201931128-Policies-Safety"},{"start":125,"end":132,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]},"paywall":{"text":"This article has been made free for everyone, thanks to Medium Members. For more information on the novel coronavirus and Covid-19, visit cdc.gov.","markups":[{"start":56,"end":70,"href":"https:\u002F\u002Fmedium.com\u002Fmembership"},{"start":138,"end":145,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]},"unbound":{"text":"This article is free for everyone, thanks to Medium Members. For more information on the novel coronavirus and Covid-19, visit cdc.gov.","markups":[{"start":45,"end":59,"href":"https:\u002F\u002Fmedium.com\u002Fmembership"},{"start":127,"end":134,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]}},"COVID_BANNER_POST_ID_OVERRIDE_WHITELIST":["3b31a67bff4a"]},"sharedVoteMessaging":{"TAGS":["politics","election-2020","government","us-politics","election","2020-presidential-race","trump","donald-trump","democrats","republicans","congress","republican-party","democratic-party","biden","joe-biden","maga"],"TOPICS":["politics","election"],"MESSAGE":{"text":"Find out more about the U.S. election results here.","markups":[{"start":46,"end":50,"href":"https:\u002F\u002Fcookpolitical.com\u002F2020-national-popular-vote-tracker"}]},"EXCLUDE_POSTS":["397ef29e3ca5"]},"embedPostRules":[],"recircOptions":{"v1":{"limit":3},"v2":{"limit":8}},"braintreeClientKey":"production_zjkj96jm_m56f8fqpf7ngnrd4","braintree":{"enabled":true,"merchantId":"m56f8fqpf7ngnrd4","merchantAccountId":{"usd":"AMediumCorporation_instant","eur":"amediumcorporation_EUR"},"publicKey":"cwr8xtycwgjryv82","braintreeEnvironment":"production","dashboardUrl":"https:\u002F\u002Fwww.braintreegateway.com\u002Fmerchants","gracePeriodDurationInDays":14,"mediumMembershipPlanId":{"monthly":"ce105f8c57a3","monthlyWithTrial":"d5ee3dbe3db8","yearly":"a40ad4a43185","yearlyStaff":"d74fb811198a","yearlyWithTrial":"b3bc7350e5c7"},"braintreeDiscountId":{"oneMonthFree":"MONTHS_FREE_01","threeMonthsFree":"MONTHS_FREE_03","sixMonthsFree":"MONTHS_FREE_06"},"3DSecureVersion":"2","defaultCurrency":"usd"},"paypalClientId":"AXj1G4fotC2GE8KzWX9mSxCH1wmPE3nJglf4Z2ig_amnhvlMVX87otaq58niAg9iuLktVNF_1WCMnN7v","paypal":{"host":"https:\u002F\u002Fapi.paypal.com:443","clientMode":"production","serverMode":"live","webhookId":"4G466076A0294510S","monthlyPlan":{"planId":"P-9WR0658853113943TMU5FDQA","name":"Medium Membership (Monthly) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"yearlyPlan":{"planId":"P-7N8963881P8875835MU5JOPQ","name":"Medium Membership (Annual) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"oneYearGift":{"name":"Medium Membership (1 Year, Digital Gift Code)","description":"Unlimited access to the best and brightest stories on Medium. Gift codes can be redeemed at medium.com\u002Fredeem.","price":"50.00","currency":"USD","sku":"membership-gift-1-yr"},"oldMonthlyPlan":{"planId":"P-96U02458LM656772MJZUVH2Y","name":"Medium Membership (Monthly)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"oldYearlyPlan":{"planId":"P-59P80963JF186412JJZU3SMI","name":"Medium Membership (Annual)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"monthlyPlanWithTrial":{"planId":"P-66C21969LR178604GJPVKUKY","name":"Medium Membership (Monthly) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"yearlyPlanWithTrial":{"planId":"P-6XW32684EX226940VKCT2MFA","name":"Medium Membership (Annual) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"oldMonthlyPlanNoSetupFee":{"planId":"P-4N046520HR188054PCJC7LJI","name":"Medium Membership (Monthly)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"oldYearlyPlanNoSetupFee":{"planId":"P-7A4913502Y5181304CJEJMXQ","name":"Medium Membership (Annual)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"sdkUrl":"https:\u002F\u002Fwww.paypal.com\u002Fsdk\u002Fjs"},"stripePublishableKey":"pk_live_7FReX44VnNIInZwrIIx6ghjl","log":{"json":true,"level":"info"}},"session":{"xsrf":""}}</script><script>window.__APOLLO_STATE__ = {"ROOT_QUERY":{"__typename":"Query","meterPost({\"postId\":\"da7da34ed301\",\"postMeteringOptions\":{\"referrer\":\"\",\"sk\":null,\"source\":null}})":{"__ref":"MeteringInfo:{}"},"postResult({\"id\":\"da7da34ed301\"})":{"__ref":"Post:da7da34ed301"}},"MeteringInfo:{}":{"__typename":"MeteringInfo","postIds":[],"maxUnlockCount":3,"unlocksRemaining":0},"User:138f8633036e":{"id":"138f8633036e","__typename":"User","name":"Rex Guo","username":"rex-11050","newsletterV3":{"__ref":"NewsletterV3:bf1ea97912c3"},"customStyleSheet":null,"isSuspended":false,"bio":"Redefining security at Lacework | Ex-Cisco Acquisition | Ex-Intel Security | Blackhat\u002FDefcon speaker | @Xiaofei_REX","imageId":"1*oJssekvq2DlebIDSamLo-A.png","hasCompletedProfile":false,"isAuroraVisible":true,"mediumMemberAt":0,"socialStats":{"__typename":"SocialStats","followerCount":24,"followingCount":3,"collectionFollowingCount":2},"customDomainState":{"__typename":"CustomDomainState","live":{"__typename":"CustomDomain","domain":"rex-11050.medium.com","status":"ACTIVE","isSubdomain":true}},"hasSubdomain":true,"bookAuthor":null,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:138f8633036e-viewerId:lo_16e6ace5c43c"},"viewerIsUser":false,"homepagePostsConnection({\"paging\":{\"limit\":1}})":{"__typename":"PostConnection","posts":[{"__ref":"Post:da7da34ed301"}]},"postSubscribeMembershipUpsellShownAt":0,"allowNotes":true,"replyToEmailBannerShownCount":0,"twitterScreenName":"Xiaofei_REX","followedCollections":2,"referredMembershipCustomHeadline":"","referredMembershipCustomBody":"","atsQualifiedAt":1620986257962},"ImageMetadata:":{"id":"","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"CollectionViewerEdge:collectionId:7b3e2b415688-viewerId:lo_16e6ace5c43c":{"id":"collectionId:7b3e2b415688-viewerId:lo_16e6ace5c43c","__typename":"CollectionViewerEdge","isEditor":false},"ImageMetadata:1*ZP9VuUzDajG62zTUd0fdpw.png":{"id":"1*ZP9VuUzDajG62zTUd0fdpw.png","__typename":"ImageMetadata","originalWidth":1025,"originalHeight":1025},"User:ff605f3b4a67":{"id":"ff605f3b4a67","__typename":"User","atsQualifiedAt":0},"ImageMetadata:1*7tbfIVWetsgd4ZTsKMoyEA.png":{"id":"1*7tbfIVWetsgd4ZTsKMoyEA.png","__typename":"ImageMetadata"},"Collection:7b3e2b415688":{"id":"7b3e2b415688","__typename":"Collection","domain":null,"googleAnalyticsId":null,"slug":"confluera-engineering","colorBehavior":"ACCENT_COLOR","isAuroraVisible":false,"favicon":{"__ref":"ImageMetadata:"},"name":"Confluera Engineering","colorPalette":{"__typename":"ColorPalette","highlightSpectrum":{"__typename":"ColorSpectrum","backgroundColor":"#FFFFFFFF","colorPoints":[{"__typename":"ColorPoint","color":"#FFF4F2F2","point":0},{"__typename":"ColorPoint","color":"#FFF2F0F0","point":0.1},{"__typename":"ColorPoint","color":"#FFF0EEEE","point":0.2},{"__typename":"ColorPoint","color":"#FFEEECEC","point":0.3},{"__typename":"ColorPoint","color":"#FFECEBEA","point":0.4},{"__typename":"ColorPoint","color":"#FFEAE9E8","point":0.5},{"__typename":"ColorPoint","color":"#FFE8E7E7","point":0.6},{"__typename":"ColorPoint","color":"#FFE6E5E5","point":0.7},{"__typename":"ColorPoint","color":"#FFE4E3E3","point":0.8},{"__typename":"ColorPoint","color":"#FFE2E1E1","point":0.9},{"__typename":"ColorPoint","color":"#FFE0DFDF","point":1}]},"defaultBackgroundSpectrum":{"__typename":"ColorSpectrum","backgroundColor":"#FFFFFFFF","colorPoints":[{"__typename":"ColorPoint","color":"#FF848585","point":0},{"__typename":"ColorPoint","color":"#FF7B7B7B","point":0.1},{"__typename":"ColorPoint","color":"#FF717272","point":0.2},{"__typename":"ColorPoint","color":"#FF686868","point":0.3},{"__typename":"ColorPoint","color":"#FF5E5E5E","point":0.4},{"__typename":"ColorPoint","color":"#FF545454","point":0.5},{"__typename":"ColorPoint","color":"#FF494A4A","point":0.6},{"__typename":"ColorPoint","color":"#FF3F3F3F","point":0.7},{"__typename":"ColorPoint","color":"#FF333333","point":0.8},{"__typename":"ColorPoint","color":"#FF272727","point":0.9},{"__typename":"ColorPoint","color":"#FF1A1A1A","point":1}]},"tintBackgroundSpectrum":{"__typename":"ColorSpectrum","backgroundColor":"#FFFFFFFF","colorPoints":[{"__typename":"ColorPoint","color":"#FFFFFFFF","point":0},{"__typename":"ColorPoint","color":"#FFECECEC","point":0.1},{"__typename":"ColorPoint","color":"#FFD9D9D9","point":0.2},{"__typename":"ColorPoint","color":"#FFC5C6C6","point":0.3},{"__typename":"ColorPoint","color":"#FFB1B1B1","point":0.4},{"__typename":"ColorPoint","color":"#FF9C9D9D","point":0.5},{"__typename":"ColorPoint","color":"#FF868787","point":0.6},{"__typename":"ColorPoint","color":"#FF6F7071","point":0.7},{"__typename":"ColorPoint","color":"#FF575959","point":0.8},{"__typename":"ColorPoint","color":"#FF3D3F3F","point":0.9},{"__typename":"ColorPoint","color":"#FF202122","point":1}]}},"customStyleSheet":null,"tagline":"Confluera Engineering Blog","isAuroraEligible":false,"viewerEdge":{"__ref":"CollectionViewerEdge:collectionId:7b3e2b415688-viewerId:lo_16e6ace5c43c"},"logo":{"__ref":"ImageMetadata:1*ZP9VuUzDajG62zTUd0fdpw.png"},"navItems":[],"creator":{"__ref":"User:ff605f3b4a67"},"subscriberCount":42,"newsletterV3":null,"avatar":{"__ref":"ImageMetadata:1*7tbfIVWetsgd4ZTsKMoyEA.png"},"canToggleEmail":false,"description":"Confluera engineering is not perfect, but we pursue perfection. We write our journey here.","ampEnabled":false,"twitterUsername":null,"facebookPageId":null,"customDomainState":null,"ptsQualifiedAt":0},"UserViewerEdge:userId:138f8633036e-viewerId:lo_16e6ace5c43c":{"id":"userId:138f8633036e-viewerId:lo_16e6ace5c43c","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"NewsletterV3:bf1ea97912c3":{"id":"bf1ea97912c3","__typename":"NewsletterV3","type":"NEWSLETTER_TYPE_AUTHOR","slug":"138f8633036e","name":"138f8633036e","collection":null,"user":{"__ref":"User:138f8633036e"},"description":"","promoHeadline":"","promoBody":"","replyToEmail":"","showPromo":false,"subscribersCount":1},"Post:da7da34ed301":{"id":"da7da34ed301","__typename":"Post","creator":{"__ref":"User:138f8633036e"},"canonicalUrl":"","collection":{"__ref":"Collection:7b3e2b415688"},"content({\"postMeteringOptions\":{\"referrer\":\"\",\"sk\":null,\"source\":null}})":{"__typename":"PostContent","isLockedPreviewOnly":false,"validatedShareKey":"","bodyModel":{"__typename":"RichText","paragraphs":[{"__ref":"Paragraph:683c4c68b256_0"},{"__ref":"Paragraph:683c4c68b256_1"},{"__ref":"Paragraph:683c4c68b256_2"},{"__ref":"Paragraph:683c4c68b256_3"},{"__ref":"Paragraph:683c4c68b256_4"},{"__ref":"Paragraph:683c4c68b256_5"},{"__ref":"Paragraph:683c4c68b256_6"},{"__ref":"Paragraph:683c4c68b256_7"},{"__ref":"Paragraph:683c4c68b256_8"},{"__ref":"Paragraph:683c4c68b256_9"},{"__ref":"Paragraph:683c4c68b256_10"},{"__ref":"Paragraph:683c4c68b256_11"},{"__ref":"Paragraph:683c4c68b256_12"},{"__ref":"Paragraph:683c4c68b256_13"},{"__ref":"Paragraph:683c4c68b256_14"},{"__ref":"Paragraph:683c4c68b256_15"},{"__ref":"Paragraph:683c4c68b256_16"},{"__ref":"Paragraph:683c4c68b256_17"},{"__ref":"Paragraph:683c4c68b256_18"},{"__ref":"Paragraph:683c4c68b256_19"},{"__ref":"Paragraph:683c4c68b256_20"},{"__ref":"Paragraph:683c4c68b256_21"},{"__ref":"Paragraph:683c4c68b256_22"},{"__ref":"Paragraph:683c4c68b256_23"},{"__ref":"Paragraph:683c4c68b256_24"},{"__ref":"Paragraph:683c4c68b256_25"},{"__ref":"Paragraph:683c4c68b256_26"},{"__ref":"Paragraph:683c4c68b256_27"},{"__ref":"Paragraph:683c4c68b256_28"},{"__ref":"Paragraph:683c4c68b256_29"},{"__ref":"Paragraph:683c4c68b256_30"},{"__ref":"Paragraph:683c4c68b256_31"},{"__ref":"Paragraph:683c4c68b256_32"},{"__ref":"Paragraph:683c4c68b256_33"},{"__ref":"Paragraph:683c4c68b256_34"},{"__ref":"Paragraph:683c4c68b256_35"}],"sections":[{"__typename":"Section","name":"6a32","startIndex":0,"textLayout":null,"imageLayout":null,"backgroundImage":null,"videoLayout":null,"backgroundVideo":null}]}},"customStyleSheet":null,"firstPublishedAt":1638558208562,"isIndexable":true,"isLocked":false,"isPublished":true,"isShortform":false,"layerCake":0,"primaryTopic":null,"title":"Reflective Code Loading in Linux — A New Defense Evasion Technique in MITRE ATT&CK v10","isMarkedPaywallOnly":false,"mediumUrl":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering\u002Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301","readingTime":3.3037735849056604,"detectedLanguage":"en","wordCount":690,"isLimitedState":false,"visibility":"PUBLIC","license":"ALL_RIGHTS_RESERVED","inResponseToPostResult":null,"allowResponses":true,"newsletterId":"","sequence":null,"tags":[],"topics":[{"__typename":"Topic","topicId":"d4e7f4144ac5","name":"Cybersecurity"},{"__typename":"Topic","topicId":"decb52b64abf","name":"Programming"}],"isNewsletter":false,"isPublishToEmail":false,"socialTitle":"","socialDek":"","noIndex":null,"curationStatus":null,"metaDescription":"","latestPublishedAt":1638558208562,"previewContent":{"__typename":"PreviewContent","subtitle":"Summary"},"previewImage":{"__ref":"ImageMetadata:1*Mbys1dtuQsMUa8q0NtkpDw.png"},"clapCount":10,"postResponses":{"__typename":"PostResponses","count":0},"isSuspended":false,"pendingCollection":null,"statusForCollection":"APPROVED","lockedSource":"LOCKED_POST_SOURCE_NONE","pinnedAt":0,"pinnedByCreatorAt":0,"curationEligibleAt":0,"responseDistribution":"NOT_DISTRIBUTED","inResponseToEntityType":null,"internalLinks({\"paging\":{\"limit\":8}})":{"__typename":"InternalLinksConnection","items":[{"__ref":"Post:a3729aa074e6"},{"__ref":"Post:c1b949eeb1f"},{"__ref":"Post:2c7937a01266"},{"__ref":"Post:aaffc659b655"},{"__ref":"Post:19e1481ef8d"},{"__ref":"Post:e5d23dc8120b"},{"__ref":"Post:746ff022079e"},{"__ref":"Post:340eceab6aab"}]},"viewerEdge":{"__ref":"PostViewerEdge:postId:da7da34ed301-viewerId:lo_16e6ace5c43c"},"collaborators":[],"translationSourcePost":null,"audioVersionUrl":"","seoTitle":"","updatedAt":1640144394598,"shortformType":"SHORTFORM_TYPE_LINK","structuredData":"","seoDescription":"","latestPublishedVersion":"683c4c68b256","isAuthorNewsletter":false,"voterCount":2,"recommenders":[],"content({})":{"__typename":"PostContent","isLockedPreviewOnly":false,"validatedShareKey":"","bodyModel":{"__typename":"RichText","paragraphs":[{"__ref":"Paragraph:683c4c68b256_0"},{"__ref":"Paragraph:683c4c68b256_1"},{"__ref":"Paragraph:683c4c68b256_2"},{"__ref":"Paragraph:683c4c68b256_3"},{"__ref":"Paragraph:683c4c68b256_4"},{"__ref":"Paragraph:683c4c68b256_5"},{"__ref":"Paragraph:683c4c68b256_6"},{"__ref":"Paragraph:683c4c68b256_7"},{"__ref":"Paragraph:683c4c68b256_8"},{"__ref":"Paragraph:683c4c68b256_9"},{"__ref":"Paragraph:683c4c68b256_10"},{"__ref":"Paragraph:683c4c68b256_11"},{"__ref":"Paragraph:683c4c68b256_12"},{"__ref":"Paragraph:683c4c68b256_13"},{"__ref":"Paragraph:683c4c68b256_14"},{"__ref":"Paragraph:683c4c68b256_15"},{"__ref":"Paragraph:683c4c68b256_16"},{"__ref":"Paragraph:683c4c68b256_17"},{"__ref":"Paragraph:683c4c68b256_18"},{"__ref":"Paragraph:683c4c68b256_19"},{"__ref":"Paragraph:683c4c68b256_20"},{"__ref":"Paragraph:683c4c68b256_21"},{"__ref":"Paragraph:683c4c68b256_22"},{"__ref":"Paragraph:683c4c68b256_23"},{"__ref":"Paragraph:683c4c68b256_24"},{"__ref":"Paragraph:683c4c68b256_25"},{"__ref":"Paragraph:683c4c68b256_26"},{"__ref":"Paragraph:683c4c68b256_27"},{"__ref":"Paragraph:683c4c68b256_28"},{"__ref":"Paragraph:683c4c68b256_29"},{"__ref":"Paragraph:683c4c68b256_30"},{"__ref":"Paragraph:683c4c68b256_31"},{"__ref":"Paragraph:683c4c68b256_32"},{"__ref":"Paragraph:683c4c68b256_33"},{"__ref":"Paragraph:683c4c68b256_34"},{"__ref":"Paragraph:683c4c68b256_35"}],"sections":[{"__typename":"Section","name":"6a32","startIndex":0,"textLayout":null,"imageLayout":null,"backgroundImage":null,"videoLayout":null,"backgroundVideo":null}]}}},"Paragraph:683c4c68b256_0":{"id":"683c4c68b256_0","__typename":"Paragraph","name":"3378","text":"Reflective Code Loading in Linux — A New Defense Evasion Technique in MITRE ATT&CK v10","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_1":{"id":"683c4c68b256_1","__typename":"Paragraph","name":"2403","text":"MITRE ATT&CK. Source: attack.mitre.org","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*Mbys1dtuQsMUa8q0NtkpDw.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":22,"end":38,"type":"A","href":"https:\u002F\u002Fattack.mitre.org\u002F","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_2":{"id":"683c4c68b256_2","__typename":"Paragraph","name":"8d01","text":"Summary","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_3":{"id":"683c4c68b256_3","__typename":"Paragraph","name":"8fe2","text":"This blog discusses a Linux reflective code loading technique newly added in the MITRE ATT&CK framework v10 update. Our research team contributed this technique to the MITRE ATT&CK organizers to help improve the industry standard.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":28,"end":51,"type":"A","href":"https:\u002F\u002Fattack.mitre.org\u002Ftechniques\u002FT1620\u002F","anchorType":"LINK","userId":null,"linkMetadata":null},{"__typename":"Markup","start":81,"end":107,"type":"A","href":"https:\u002F\u002Fattack.mitre.org\u002Fresources\u002Fupdates\u002Fupdates-october-2021\u002F#:~:text=The%20October%202021%20(v10)%20ATT%26CK,changes%20released%20in%20ATT%26CK%20v9.","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_4":{"id":"683c4c68b256_4","__typename":"Paragraph","name":"f3f6","text":"Reflective code loading allows threat actors to execute file-based malware without touching the disk! We will discuss how this technique works in Linux and how threat groups use this technique to evade detection.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_5":{"id":"683c4c68b256_5","__typename":"Paragraph","name":"ab68","text":"In our next blog, we will discuss detections and response to this technique. This blog is co-authored with Joel Schopp.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":107,"end":118,"type":"A","href":"https:\u002F\u002Fmedium.com\u002F@joel.schopp","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_6":{"id":"683c4c68b256_6","__typename":"Paragraph","name":"e2e9","text":"What is An Anonymous File?","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_7":{"id":"683c4c68b256_7","__typename":"Paragraph","name":"b065","text":"Before we dive in to the details of reflective code loading in Linux, we need to understand anonymous files. Linux uses file as a generic abstraction for many underlying interfaces. Linux kernel 3.17 has introduced the memfd_create() system call. memfd_create()creates an anonymous file and returns a file descriptor that refers to it. The file behaves like a regular file, and it can be modified, truncated, memory-mapped, and so on.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":219,"end":233,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":247,"end":261,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_8":{"id":"683c4c68b256_8","__typename":"Paragraph","name":"d04c","text":"However, unlike a regular file, it lives in RAM and has volatile backing storage. This means that filesystem scanners can’t scan it. Once all references to the file are dropped, it is automatically released. Anonymous memory is used for all backing pages of the file. Therefore, files created by memfd_create()have the same semantics as other anonymous memory allocations such as those allocated using mmap() with the MAP_ANONYMOUS flag.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":296,"end":310,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":402,"end":408,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":418,"end":431,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":401,"end":402,"type":"A","href":"https:\u002F\u002Fman7.org\u002Flinux\u002Fman-pages\u002Fman2\u002Fmmap.2.html","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_9":{"id":"683c4c68b256_9","__typename":"Paragraph","name":"2fe1","text":"Reflective Code Loading in Linux","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_10":{"id":"683c4c68b256_10","__typename":"Paragraph","name":"41e9","text":"Linux also supports direct execution of an anonymous file in memory by either execve or execveatsystem call. The reflective code loading contains the following steps:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":78,"end":84,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":88,"end":96,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_11":{"id":"683c4c68b256_11","__typename":"Paragraph","name":"df1d","text":"Creates an anonymous file within the application memory","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_12":{"id":"683c4c68b256_12","__typename":"Paragraph","name":"dba8","text":"Writes file content in the anonymous file","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_13":{"id":"683c4c68b256_13","__typename":"Paragraph","name":"62e4","text":"Executes the anonymous file from the memory","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_14":{"id":"683c4c68b256_14","__typename":"Paragraph","name":"78a4","text":"During reflective code loading, the anonymous does not touch the disk. We will use a simple example to demonstrate the idea. Part of the code is inspired by a 0x00sec blog.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":166,"end":171,"type":"A","href":"https:\u002F\u002F0x00sec.org\u002Ft\u002Fsuper-stealthy-droppers\u002F3715","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_15":{"id":"683c4c68b256_15","__typename":"Paragraph","name":"a332","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:0*WW5SfAuHrHogCodS"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_16":{"id":"683c4c68b256_16","__typename":"Paragraph","name":"d28d","text":"The program primarily performs the following steps:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_17":{"id":"683c4c68b256_17","__typename":"Paragraph","name":"7dc8","text":"Connects to a network socket. For demo purposes, we use localhost and port 1111 as the destination address and port, correspondingly.","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_18":{"id":"683c4c68b256_18","__typename":"Paragraph","name":"83ec","text":"Creates an anonymous file","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_19":{"id":"683c4c68b256_19","__typename":"Paragraph","name":"a328","text":"Reads file content from the network and write to the file in a loop until the file ends or other error condition happens","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_20":{"id":"683c4c68b256_20","__typename":"Paragraph","name":"b97e","text":"Creates a child process and execute the anonymous file from the child","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_21":{"id":"683c4c68b256_21","__typename":"Paragraph","name":"a3f4","text":"Here are the steps to test the reflective code loading:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_22":{"id":"683c4c68b256_22","__typename":"Paragraph","name":"a216","text":"Pipe an ELF payload to a netcat listener. For demo purposes, we are just using a simple xeyes binary from Ubuntu distributions.","type":"OLI","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_23":{"id":"683c4c68b256_23","__typename":"Paragraph","name":"502a","text":"$ cat \u002Fusr\u002Fbin\u002Fxeyes | nc -l $((0x1111))","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_24":{"id":"683c4c68b256_24","__typename":"Paragraph","name":"ee5c","text":"2. Run the above reflective code loading program. If everything works, we can see the program loads and executes. We will also see an xeyes window pops up in the GUI. To view the running process artifacts:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_25":{"id":"683c4c68b256_25","__typename":"Paragraph","name":"2044","text":"$ ps -ef --forest","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_26":{"id":"683c4c68b256_26","__typename":"Paragraph","name":"65d5","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:0*ncty52aFfGZ5EtTs"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_27":{"id":"683c4c68b256_27","__typename":"Paragraph","name":"351a","text":"Note that we can changed the program name to an arbitrary string. We use [kworker\u002Fu!0] to demonstrate it is possible to confuse an inexperienced analyst.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":73,"end":86,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_28":{"id":"683c4c68b256_28","__typename":"Paragraph","name":"2b9b","text":"How is Reflective Code Loading Used by Threat Groups?","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_29":{"id":"683c4c68b256_29","__typename":"Paragraph","name":"4efb","text":"APT threat group TeamTNT has been using the ezuri loader in the wild to deploy malware. TeamTNT is well known for targeting container and cloud environments. We recommend the readers to this blog from AT&T cybersecurity lab for a detailed analysis of the malware.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":201,"end":223,"type":"A","href":"https:\u002F\u002Fcybersecurity.att.com\u002Fblogs\u002Flabs-research\u002Fmalware-using-new-ezuri-memory-loader","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_30":{"id":"683c4c68b256_30","__typename":"Paragraph","name":"e8ca","text":"The ezuri loader is an open source project that uses the reflective code loading technique we described above. The loader contains a decryption routine before it loads the actual payload. At the actual loading stage, it uses the same technique:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":22,"end":42,"type":"A","href":"https:\u002F\u002Fgithub.com\u002Fguitmz\u002Fezuri","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_31":{"id":"683c4c68b256_31","__typename":"Paragraph","name":"bbc8","text":"","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:0*OCKewHBxQrtbH9HI"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_32":{"id":"683c4c68b256_32","__typename":"Paragraph","name":"adba","text":"Conclusion:","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_33":{"id":"683c4c68b256_33","__typename":"Paragraph","name":"bd63","text":"Reflective code loading using anonymous files in Linux is being used by the threat actors actively. Its fileless nature can bypass security tools that are not able to detect and respond to this behavior. MITRE ATT&CK framework has adopted this technique as part of its latest standard.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:683c4c68b256_34":{"id":"683c4c68b256_34","__typename":"Paragraph","name":"7780","text":"Cloud security teams should obtain the capability to detect and respond to such threats and focus on the application behavior sequences. To learn more, please check the second part of this blog.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":169,"end":180,"type":"A","href":"https:\u002F\u002Frex-11050.medium.com\u002Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:683c4c68b256_35":{"id":"683c4c68b256_35","__typename":"Paragraph","name":"a311","text":"Feel free to reach out with any questions you may have through contact.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":63,"end":70,"type":"A","href":"https:\u002F\u002Fwww.confluera.com\u002Fcontact","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"ImageMetadata:1*Mbys1dtuQsMUa8q0NtkpDw.png":{"id":"1*Mbys1dtuQsMUa8q0NtkpDw.png","__typename":"ImageMetadata","originalHeight":400,"originalWidth":680,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:0*WW5SfAuHrHogCodS":{"id":"0*WW5SfAuHrHogCodS","__typename":"ImageMetadata","originalHeight":1082,"originalWidth":739,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:0*ncty52aFfGZ5EtTs":{"id":"0*ncty52aFfGZ5EtTs","__typename":"ImageMetadata","originalHeight":118,"originalWidth":331,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:0*OCKewHBxQrtbH9HI":{"id":"0*OCKewHBxQrtbH9HI","__typename":"ImageMetadata","originalHeight":680,"originalWidth":1140,"focusPercentX":null,"focusPercentY":null,"alt":null},"ImageMetadata:1*SVVrNQptMHSbWkbbMmiHGg.png":{"id":"1*SVVrNQptMHSbWkbbMmiHGg.png","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"CollectionViewerEdge:collectionId:26bbfeb3f28f-viewerId:lo_16e6ace5c43c":{"id":"collectionId:26bbfeb3f28f-viewerId:lo_16e6ace5c43c","__typename":"CollectionViewerEdge","isEditor":false},"Collection:26bbfeb3f28f":{"id":"26bbfeb3f28f","__typename":"Collection","name":"GDG Lviv","description":"Making devs happy. More fun, much code. Approved by Doge and Nyan Cat.","tagline":"Making devs happy.","domain":null,"slug":"gdg-lviv","isAuroraEligible":false,"isAuroraVisible":false,"viewerEdge":{"__ref":"CollectionViewerEdge:collectionId:26bbfeb3f28f-viewerId:lo_16e6ace5c43c"},"canToggleEmail":false},"UserViewerEdge:userId:f55f82616eea-viewerId:lo_16e6ace5c43c":{"id":"userId:f55f82616eea-viewerId:lo_16e6ace5c43c","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:f55f82616eea":{"id":"f55f82616eea","__typename":"User","name":"Oleh Zasadnyy","username":"ozasadnyy","bio":"","imageId":"1*jvNlsabyhCuaeAcCWfBSRA.jpeg","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:f55f82616eea-viewerId:lo_16e6ace5c43c"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":null,"hasSubdomain":false,"postSubscribeMembershipUpsellShownAt":0},"Post:a3729aa074e6":{"id":"a3729aa074e6","__typename":"Post","title":"🎉 Hoverboard v2.0.0 released today!","mediumUrl":"https:\u002F\u002Fmedium.com\u002Fgdg-lviv\u002Fhoverboard-v2-0-0-released-today-a3729aa074e6","previewImage":{"__ref":"ImageMetadata:1*SVVrNQptMHSbWkbbMmiHGg.png"},"isPublished":true,"firstPublishedAt":1531473448936,"readingTime":4.759433962264151,"statusForCollection":"APPROVED","isLocked":false,"visibility":"PUBLIC","collection":{"__ref":"Collection:26bbfeb3f28f"},"creator":{"__ref":"User:f55f82616eea"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:0*cm66G2k46LCYCWtA":{"id":"0*cm66G2k46LCYCWtA","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"CollectionViewerEdge:collectionId:7219b4dc6c4c-viewerId:lo_16e6ace5c43c":{"id":"collectionId:7219b4dc6c4c-viewerId:lo_16e6ace5c43c","__typename":"CollectionViewerEdge","isEditor":false},"Collection:7219b4dc6c4c":{"id":"7219b4dc6c4c","__typename":"Collection","name":"Analytics Vidhya","description":"Analytics Vidhya is a community of Analytics and Data Science professionals. We are building the next-gen data science ecosystem https:\u002F\u002Fwww.analyticsvidhya.com","tagline":"Analytics Vidhya is a community of Analytics and Data…","domain":null,"slug":"analytics-vidhya","isAuroraEligible":true,"isAuroraVisible":false,"viewerEdge":{"__ref":"CollectionViewerEdge:collectionId:7219b4dc6c4c-viewerId:lo_16e6ace5c43c"},"canToggleEmail":false},"UserViewerEdge:userId:ffe76186302e-viewerId:lo_16e6ace5c43c":{"id":"userId:ffe76186302e-viewerId:lo_16e6ace5c43c","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:ffe76186302e":{"id":"ffe76186302e","__typename":"User","name":"ichen","username":"ichenic","bio":"B.S. Applied Mathematics. Currently an analyst intern, interested in learning more about data science.","imageId":"1*AyIIXxDbfJ6U-BDJaP6Xkg.jpeg","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:ffe76186302e-viewerId:lo_16e6ace5c43c"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":{"__typename":"CustomDomainState","live":{"__typename":"CustomDomain","domain":"ichenic.medium.com"}},"hasSubdomain":true,"postSubscribeMembershipUpsellShownAt":0},"Post:c1b949eeb1f":{"id":"c1b949eeb1f","__typename":"Post","title":"A Guide to Interactive Data Visualizations with Python Plotly","mediumUrl":"https:\u002F\u002Fmedium.com\u002Fanalytics-vidhya\u002Fa-guide-to-interactive-data-visualizations-with-python-plotly-c1b949eeb1f","previewImage":{"__ref":"ImageMetadata:0*cm66G2k46LCYCWtA"},"isPublished":true,"firstPublishedAt":1632973106341,"readingTime":4.361635220125786,"statusForCollection":"APPROVED","isLocked":false,"visibility":"PUBLIC","collection":{"__ref":"Collection:7219b4dc6c4c"},"creator":{"__ref":"User:ffe76186302e"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:1*ILlbBj3_5B4sh4S7bEWdfA.png":{"id":"1*ILlbBj3_5B4sh4S7bEWdfA.png","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"UserViewerEdge:userId:148c8c87f4eb-viewerId:lo_16e6ace5c43c":{"id":"userId:148c8c87f4eb-viewerId:lo_16e6ace5c43c","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:148c8c87f4eb":{"id":"148c8c87f4eb","__typename":"User","name":"Mohamed Thoufeeq","username":"thoufeeq.musthafa","bio":"","imageId":"0*vchJpcoPgNVau__H","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:148c8c87f4eb-viewerId:lo_16e6ace5c43c"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":null,"hasSubdomain":false,"postSubscribeMembershipUpsellShownAt":0},"Post:2c7937a01266":{"id":"2c7937a01266","__typename":"Post","title":"MySQL — Indexing basics","mediumUrl":"https:\u002F\u002Fmedium.com\u002F@thoufeeq.musthafa\u002Fmysql-indexing-basics-2c7937a01266","previewImage":{"__ref":"ImageMetadata:1*ILlbBj3_5B4sh4S7bEWdfA.png"},"isPublished":true,"firstPublishedAt":1569347107464,"readingTime":3.535849056603774,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:148c8c87f4eb"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:1*0cMd9NRa8My1I_q01NBECw.png":{"id":"1*0cMd9NRa8My1I_q01NBECw.png","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"CollectionViewerEdge:collectionId:911a41543a61-viewerId:lo_16e6ace5c43c":{"id":"collectionId:911a41543a61-viewerId:lo_16e6ace5c43c","__typename":"CollectionViewerEdge","isEditor":false},"Collection:911a41543a61":{"id":"911a41543a61","__typename":"Collection","name":"The Helium Blog","description":"Building the world’s first decentralized wireless network","tagline":"Building the world’s first decentralized wireless network","domain":"blog.helium.com","slug":"helium-blog","isAuroraEligible":false,"isAuroraVisible":false,"viewerEdge":{"__ref":"CollectionViewerEdge:collectionId:911a41543a61-viewerId:lo_16e6ace5c43c"},"canToggleEmail":false},"UserViewerEdge:userId:f837fc9a6cd5-viewerId:lo_16e6ace5c43c":{"id":"userId:f837fc9a6cd5-viewerId:lo_16e6ace5c43c","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"NewsletterV3:5d66bc937d66":{"id":"5d66bc937d66","__typename":"NewsletterV3","type":"NEWSLETTER_TYPE_AUTHOR","slug":"f837fc9a6cd5","name":"f837fc9a6cd5","collection":null,"user":{"__ref":"User:f837fc9a6cd5"}},"User:f837fc9a6cd5":{"id":"f837fc9a6cd5","__typename":"User","name":"Abhay Kumar","username":"abhay","newsletterV3":{"__ref":"NewsletterV3:5d66bc937d66"},"bio":"Head of Product @ Helium. Formerly @ Square and Powerset.","imageId":"0*Utc3banFRMDZuyKF.jpeg","mediumMemberAt":1574352367000,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:f837fc9a6cd5-viewerId:lo_16e6ace5c43c"},"viewerIsUser":false,"customDomainState":null,"hasSubdomain":false,"postSubscribeMembershipUpsellShownAt":0},"Post:aaffc659b655":{"id":"aaffc659b655","__typename":"Post","title":"Proof-of-Coverage and Consensus Group Improvements: Call for Discussion","mediumUrl":"https:\u002F\u002Fblog.helium.com\u002Fproof-of-coverage-and-consensus-group-improvements-call-for-discussion-aaffc659b655","previewImage":{"__ref":"ImageMetadata:1*0cMd9NRa8My1I_q01NBECw.png"},"isPublished":true,"firstPublishedAt":1603487240848,"readingTime":3.6415094339622645,"statusForCollection":"APPROVED","isLocked":false,"visibility":"PUBLIC","collection":{"__ref":"Collection:911a41543a61"},"creator":{"__ref":"User:f837fc9a6cd5"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:1*hQjYXqpt1QpWG_Xbg6GgEA.jpeg":{"id":"1*hQjYXqpt1QpWG_Xbg6GgEA.jpeg","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"CollectionViewerEdge:collectionId:aa88e244b81a-viewerId:lo_16e6ace5c43c":{"id":"collectionId:aa88e244b81a-viewerId:lo_16e6ace5c43c","__typename":"CollectionViewerEdge","isEditor":false},"Collection:aa88e244b81a":{"id":"aa88e244b81a","__typename":"Collection","name":"Vicara","description":"Vicara is an Immersive Technology Company that develops hardware products and solutions for Mixed Reality based Industrial applications.","tagline":"Vicara is an Immersive Technology Company that develops…","domain":null,"slug":"vicara","isAuroraEligible":false,"isAuroraVisible":false,"viewerEdge":{"__ref":"CollectionViewerEdge:collectionId:aa88e244b81a-viewerId:lo_16e6ace5c43c"},"canToggleEmail":false},"UserViewerEdge:userId:fe884f2ddb25-viewerId:lo_16e6ace5c43c":{"id":"userId:fe884f2ddb25-viewerId:lo_16e6ace5c43c","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"NewsletterV3:5fcab3d69240":{"id":"5fcab3d69240","__typename":"NewsletterV3","type":"NEWSLETTER_TYPE_AUTHOR","slug":"fe884f2ddb25","name":"fe884f2ddb25","collection":null,"user":{"__ref":"User:fe884f2ddb25"}},"User:fe884f2ddb25":{"id":"fe884f2ddb25","__typename":"User","name":"Sanskar Biswal","username":"sanskarbiswal","newsletterV3":{"__ref":"NewsletterV3:5fcab3d69240"},"bio":"Electronics Engineer | Firmware Developer | Programmer | Poet | Writer","imageId":"2*KmuVVgsITmsVXPnu4aWduw.jpeg","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:fe884f2ddb25-viewerId:lo_16e6ace5c43c"},"viewerIsUser":false,"customDomainState":{"__typename":"CustomDomainState","live":{"__typename":"CustomDomain","domain":"sanskarbiswal.medium.com"}},"hasSubdomain":true,"postSubscribeMembershipUpsellShownAt":0},"Post:19e1481ef8d":{"id":"19e1481ef8d","__typename":"Post","title":"Integrating Gesture Controls into your Applications — Kai SDK","mediumUrl":"https:\u002F\u002Fmedium.com\u002Fvicara\u002Fintegrating-gesture-controls-into-your-applications-kai-sdk-19e1481ef8d","previewImage":{"__ref":"ImageMetadata:1*hQjYXqpt1QpWG_Xbg6GgEA.jpeg"},"isPublished":true,"firstPublishedAt":1595849555991,"readingTime":4.590880503144654,"statusForCollection":"APPROVED","isLocked":false,"visibility":"PUBLIC","collection":{"__ref":"Collection:aa88e244b81a"},"creator":{"__ref":"User:fe884f2ddb25"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"UserViewerEdge:userId:b40cf3a95926-viewerId:lo_16e6ace5c43c":{"id":"userId:b40cf3a95926-viewerId:lo_16e6ace5c43c","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:b40cf3a95926":{"id":"b40cf3a95926","__typename":"User","name":"Pentadactylisms","username":"pentadactylisms","bio":"","imageId":"1*dmbNkD5D-u45r44go_cf0g.png","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:b40cf3a95926-viewerId:lo_16e6ace5c43c"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":null,"hasSubdomain":false,"postSubscribeMembershipUpsellShownAt":0},"Post:e5d23dc8120b":{"id":"e5d23dc8120b","__typename":"Post","title":"What they distribute: This ladies’ site is fundamentally, yet as well this","mediumUrl":"https:\u002F\u002Fmedium.com\u002F@pentadactylisms\u002Fwhat-they-distribute-this-ladies-site-is-fundamentally-yet-as-well-this-e5d23dc8120b","previewImage":{"__ref":"ImageMetadata:"},"isPublished":true,"firstPublishedAt":1606326487867,"readingTime":6.588679245283019,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:b40cf3a95926"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:1*sNltK5QVywkYNLBMnbfcgQ.gif":{"id":"1*sNltK5QVywkYNLBMnbfcgQ.gif","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"UserViewerEdge:userId:95ac0973c594-viewerId:lo_16e6ace5c43c":{"id":"userId:95ac0973c594-viewerId:lo_16e6ace5c43c","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"NewsletterV3:a30ebcc72c7":{"id":"a30ebcc72c7","__typename":"NewsletterV3","type":"NEWSLETTER_TYPE_AUTHOR","slug":"95ac0973c594","name":"95ac0973c594","collection":null,"user":{"__ref":"User:95ac0973c594"}},"User:95ac0973c594":{"id":"95ac0973c594","__typename":"User","name":"Matteo Lo Piccolo","username":"matteolopiccolo","newsletterV3":{"__ref":"NewsletterV3:a30ebcc72c7"},"bio":"Always in love with programming, even if late (I'm already 39 years old) I decided to follow my dream! We will see how far my passion will take me!","imageId":"1*PT6B1OGAZwWf8Ti60gIWGw.png","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:95ac0973c594-viewerId:lo_16e6ace5c43c"},"viewerIsUser":false,"customDomainState":{"__typename":"CustomDomainState","live":{"__typename":"CustomDomain","domain":"matteolopiccolo.medium.com"}},"hasSubdomain":true,"postSubscribeMembershipUpsellShownAt":0},"Post:746ff022079e":{"id":"746ff022079e","__typename":"Post","title":"Create a GameObjects and applying materials","mediumUrl":"https:\u002F\u002Fmatteolopiccolo.medium.com\u002Fcreate-a-gameobjects-and-applying-materials-746ff022079e","previewImage":{"__ref":"ImageMetadata:1*sNltK5QVywkYNLBMnbfcgQ.gif"},"isPublished":true,"firstPublishedAt":1617978873350,"readingTime":3.2547169811320753,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:95ac0973c594"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"ImageMetadata:1*EP8hPeYQka8ZxuVCI1TLpA.png":{"id":"1*EP8hPeYQka8ZxuVCI1TLpA.png","__typename":"ImageMetadata","focusPercentX":null,"focusPercentY":null},"UserViewerEdge:userId:2022c5dd6519-viewerId:lo_16e6ace5c43c":{"id":"userId:2022c5dd6519-viewerId:lo_16e6ace5c43c","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"User:2022c5dd6519":{"id":"2022c5dd6519","__typename":"User","name":"Aanchal Patial","username":"apatial.27","bio":"We never really grow up, we only learn how to act in public","imageId":"2*ZbORp4oMezu_psepKPofsA.jpeg","mediumMemberAt":0,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:2022c5dd6519-viewerId:lo_16e6ace5c43c"},"viewerIsUser":false,"newsletterV3":null,"customDomainState":null,"hasSubdomain":false,"postSubscribeMembershipUpsellShownAt":0},"Post:340eceab6aab":{"id":"340eceab6aab","__typename":"Post","title":"Day 26 of 31-Day May LeetCode Challenge","mediumUrl":"https:\u002F\u002Fmedium.com\u002F@apatial.27\u002Fday-26-of-31-day-may-leetcode-challenge-340eceab6aab","previewImage":{"__ref":"ImageMetadata:1*EP8hPeYQka8ZxuVCI1TLpA.png"},"isPublished":true,"firstPublishedAt":1590476614148,"readingTime":0.30188679245283023,"statusForCollection":null,"isLocked":false,"visibility":"PUBLIC","collection":null,"creator":{"__ref":"User:2022c5dd6519"},"previewContent":{"__typename":"PreviewContent","isFullContent":false}},"PostViewerEdge:postId:da7da34ed301-viewerId:lo_16e6ace5c43c":{"id":"postId:da7da34ed301-viewerId:lo_16e6ace5c43c","__typename":"PostViewerEdge","catalogsConnection":null}}</script><script>window.__MIDDLEWARE_STATE__={"session":{"xsrf":""},"cache":{"cacheStatus":"HIT","shouldUseCache":true}}</script><script src="https://cdn-client.medium.com/lite/static/js/manifest.61e6c8e0.js"></script><script src="https://cdn-client.medium.com/lite/static/js/35565.71cd3bc0.js"></script><script src="https://cdn-client.medium.com/lite/static/js/main.e76d6dd7.js"></script><script src="https://cdn-client.medium.com/lite/static/js/45573.4354ed57.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/instrumentation.b36a3c7f.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/reporting.7ffdf826.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/1752.a348f767.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/7794.9590314e.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/8353.3bb2d559.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/80685.29e1bf85.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/11615.2fadd0d8.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/11034.d66e747e.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/90192.d7950368.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/79088.e4863540.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/19692.5d6b1ad8.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/81645.b955b7c8.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/95064.25d50b88.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/63303.b45636f0.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/88172.f30eccc2.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/5850.b6744db4.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/70832.444ac173.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/7632.7d93c1e0.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/72776.c48f900b.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/50327.c2422d85.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/5055.78455feb.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/12249.8b9953b3.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/61781.e9beefe1.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/56590.76c8b773.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/26022.be74e11b.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/39592.714f1ecb.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/25537.90af5bce.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/33673.952ffdce.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/95972.996c4300.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/92397.168bdb90.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/62182.016e5c0a.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/68519.8dfbac07.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/45002.d12ac37f.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/31142.7e55d860.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/989.c98c8a6f.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/Post.76a6c83b.chunk.js"></script><script>window.main();</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"6c25c411aeb57708","token":"0b5f665943484354a59c39c6833f7078","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body></html>